In an update from Project Zero Team of Google, they mentioned about this issue. Project Zero’s mission is to make 0-day hard.
In published article they mentioned, “There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.”
Beer writes that Google’s Threat Analysis Group (TAG) was able to collect five distinct iPhone exploit chains based on 14 vulnerabilities. These exploit chains covered versions from iOS 10 up to the latest iteration of iOS 12. At least one of the chains was a zero day at the time of discovery and Apple fixed the issues in February after Google warned them, Beer writes.
detailed write-ups of all five privilege escalation exploit chains;
a teardown of the implant used, including a demo of the implant running on my own devices, talking to a reverse-engineered command and control server and demonstrating the capabilities of the implant to steal private data like iMessages, photos and GPS location in real-time, and
analysis by fellow team member Samuel Groß on the browser exploits used as initial entry points.
[display-posts category=”cyber-security” include_excerpt=”true” image_size=”thumbnail”]