On the same day Apple Inc. revealed the date for its latest iPhone event, Google’s privacy team said it had discovered a two-year long vulnerability in the phone-maker’s software.
The bug targeted a small number of websites. Simply visiting those pages could have left iPhone users susceptible to the breach and possibly affected thousands of users per week, Google Zero wrote in a number of blog posts on Thursday.
Visiting the unnamed sites allowed hackers to gain access to a plethora of information, including the ability to track movements via the phone’s GPS system, to obtaining passwords and being privy to sensitive conversations through iMessage and WhatsApp.
The report from Google came at the same time Apple announced the date for unveiling its next iPhones, and potentially a slew of other products. Earlier in August Apple’s top security engineer said the company would begin distributing special iPhones to researchers to help them discover flaws before malicious hackers do.
The bug-hunting hackers at Google reported the issue to Apple on Feb. 1 and, less than a week later, Apple updated its operating systems. Apple did not return a request for comment.
Google’s Project Zero is an elite unit of Alphabet Inc.’s Google, made up of cybersleuths who hunt for “zero day” vulnerabilities — unintended design flaws that can be exploited by hackers to break into computer systems.
“All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly,” Ian Beer, a Project Zero researcher, wrote in a blog post. “Treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”
Beer said attackers exploited fourteen different software flaws, including seven which targeted Safari, the Apple product’s built-in web browser. Through developing five distinct entry points, the cybercriminals could access various features on the phone, including those usually off-limits to users. This meant hackers could quietly install malware onto the device without the owner knowing.
A bright side is the bug isn’t persistent. Simply rebooting the device will wipe it clear, unless it is at risk again. However, Beer said hackers could continue having access to accounts they had passwords for even after they lost the ability to get new information from the phone.