Malicious websites to hack your iPhone

You might have heard about the attacks on iPhone users through hacked websites. The news has been widely covered on Thursday 29 and Friday 30 August 2019 by tech medias (9TO5Mac, TechCrunch) and major online news websites (BBC News, The Guardian, Forbes, etc.).

iPhone

The facts

The Google Project Zero discovered and reported the issues to Apple on 01 February 2019. Hopefully, Apple immediately took action and released a fix within iOS 12.1.4 patch made available on 09 February 2019.

In details, Google’s Project Zero team has disclosed that a number of “hacked websites” have been used to attack iPhones for two years. The researchers reported “there was no target discrimination, simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.”

There is no detail regarding the hacked websites. However Google’s Project Zero said in a deep-dive blog post that the websites were visited thousands of times per week.

Once the device hacked, the implant would allow the attacker to gain access to the deepest secrets stored on the phone. For instance, examples given were the user’s location, the device’s keychain (which contains all the user’s passwords), the chat histories on apps such as WhatsApp, Telegram and iMessage, the address book and data from Gmail.

The vulnerabilities affect iOS from version 10 to 12.

What you should do

To take no risk, you can follow the few simple steps below:

  1. Ensure that your iPhone is up-to-date. If it is not, consider to update your iPhone to the latest version
  2. Change your password for any account you had the login details saved on your iPhone

If you have any doubt regarding what to do, please do not hesitate to contact us for support.