Apple Says Google Blew iPhone Hacking Report Out of Proportion


This site may earn affiliate commissions from the links on this page. Terms of use.

Apple is used to promoting the security of its products in comparison to the competition, but it was on the defensive last week following a report from Google’s Project Zero. According to Google researchers, iOS was the target of a sophisticated attack for two years until Google alerted Apple in early 2019. However, Apple is now seeking to downplay the severity of the attack, claiming Project Zero has blown the whole thing out of proportion. 

The news of Apple’s iPhone vulnerability broke recently with an in-depth report from Project Zero, a group at Google that specializes in uncovering zero-day hacks that threaten internet users. According to the team, a number of websites had deployed hacks that could install malware with root access on the iPhone. The operators of the sites could steal data, monitor phone locations, and even access the user’s on-device password storage. Google said the attacks operated “over a period of at least two years” and covered almost every version of iOS active during that time. 

Apple issued a press release late last week disputing part of Google’s findings. The iPhone maker strenuously objects to Google’s claim that the attacks operated for two years. In fact, Apple says it was closer to two months. Furthermore, Apple says it already knew about the flaws and was conveniently already working on a fix. It’s impossible to verify that claim, but it does sound suspect. Google’s Project Zero researchers are cited in Apple’s official changelog from February as reporting the flaws. 

The timeline of iOS hacks from Project Zero.

Apple also says the attack focused on the Uyghur community, a group of ethnically Turkic Muslims living in western China. Uyghurs have been targeted for persecution and imprisonment by Chinese authorities for years. The government often uses technological means like the iPhone hack to track and investigate the Uyghur population. 

Apple seems to be suggesting that Google wanted to make the flaws look more severe than they were, but Project Zero has traditionally conducted its business in without favoritism. In response to Apple’s criticism, Project Zero has issued a statement standing by its “in-depth research which was written to focus on the technical aspects of these vulnerabilities.”

Google is used to getting publicly chastised for security vulnerabilities — Android is open source, but Apple has the benefit of quietly patching exploits as it finds them in its closed software. Perhaps the iPhone maker is just a little overly sensitive with its new iPhone unveiling this week.

Now read:




10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Apple doesn’t want Google ‘stoking fear’ about serious iOS security exploits – gpgmail


Apple has issued a tart response to an extensive report by Google of a serious security flaw in iOS. The flaw, which let an attacker gain root access to a device visiting a malicious website, was reported last week. Apple wants to “make sure all of our customers have the facts,” which is funny, because it’s likely we wouldn’t have any of the facts if Google had not so rigorously documented this issue.

In a brief news post, Apple says that it has heard concerns from its customers and wants to make sure they know they are not at risk.

The attack, Apple says, was “narrowly focused” and not an exploit “en masse.” “The attack affected fewer than a dozen websites that focus on content related to the Uighur community,” Apple wrote.

While it’s true that only a small number of websites were affected, Google said that those websites were visited thousands of times per week — and the attacks were active for about two months. Even a conservative estimate based on these numbers suggests more than a hundred thousand devices could easily have been probed and, if vulnerable, infected. If only 1 in 100 were iPhones, that would be root access to a thousand of the target population. That rock bottom estimate already sounds pretty “en masse” to me.

Furthermore, while it may make the non-Uighurs among us feel better that we were not the targets of this campaign, it’s cold comfort as the targeted demographic could just as easily have been a political or religious institution we do take part in.

Apple takes issue with Google’s suggestion that this offered “the capability to target and monitor the private activities of entire populations in real time.” This was, according to Apple, “stoking fear among all iPhone users that their devices had been compromised.”

Yet Google’s warning in this case seems relevant. An undetectable root exploit for current iPhones deployed via website popular among a targeted population? That should stoke fear among all iPhone users, since it seems clear that they very well could have been compromised before now. After all, there’s no evidence this Uighur-targeted attack was the only one.

Apple points out that “when Google approached us, we were already in the process of fixing the exploited bugs.” That’s great. But who then wrote up a long technical discussion of the issue so that other security researchers, along with consumers, will be aware?

It’s a bit troubling for Apple to say that “iOS security is unmatched” during the discussion of an incredibly dangerous and powerful exploit that was apparently deployed successfully against an ethnic minority by, almost certainly, the only nation-state that has any interest in doing so. Has Apple explained to the Uighurs whose phones were invisibly and completely taken over by malicious software that it’s okay because “security is a never-ending journey”?

Had Google’s Project Zero researchers not documented this problem, we probably would never have heard about it except as an anonymous “security fixes” decimal point in our mobile operating systems.

Journey or no journey, this was a serious security failure that appears to have been successfully and maliciously exploited in the wild. Apple’s sour grapes and defensive language are out of place here, and a mea culpa would have behooved the company better.


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Google Discovered Malicious Websites Used to Hack iPhones for Years


This site may earn affiliate commissions from the links on this page. Terms of use.

Apple likes to talk up its focus on security and privacy, but iPhone owners have unknowingly been targets of an indiscriminate and severe hacking campaign for at least two years. Google’s Project Zero team uncovered the scheme, which used websites loaded with unpatched exploits to install malware on iPhones that could track user locations, steal files, and more. Apple patched the flaws after they were reported, but we’re only now finding out the scale of the attack. 

According to Google, its researchers discovered the malicious websites in early 2019. Currently, the team believes the network of hacking sites had been operating for more than two years, attracting thousands of visitors per week. Unsuspecting iPhone users who visited the pages would come away with malware running as root on their devices — that’s the highest level of software privileges that even the device owner doesn’t have on iOS. 

Project Zero researchers identified five different exploit chains in the wild, leveraging 12 distinct security flaws. Seven of them involved the Safari browser engine, which even third-party browsers have to use. This wasn’t just targeting some archaic version of iOS, either. The attacks covered almost every version of iOS 10 through the latest iOS 12. After implanting the malware on iPhones, attackers could track user locations, copy photos, and even access the user’s on-device password storage. 

Again, this all happens silently in the browser. For all the fretting over malicious code popping up in apps for both Android and iOS, this is much more severe because the attackers don’t have to trick users into installing anything. It’s been a long time since zero-day browser-based hacks like this have shown up in the wild. Years back, there were websites you could visit that would use exploits to instantly jailbreak iPhones. Modern security practices ended easy browser hacking, or so we thought. 

Google reported the flaws privately to Apple in February, but it gave Apple just one week to roll out patches. That’s much shorter than the customary 90-day disclosure timeline. That drives home the seriousness of the attack. Not only is the impact on users severe, but the attackers were also actively infecting thousands of phones per week. Apple rolled out an update (iOS 12.1.4) six days later to fix the flaws. 

If there’s any bright spot in all of this, it’s that the attackers didn’t seem to have any particular target. Their victims were anyone unlucky enough to click on the malicious web link. While this hole is patched, the campaign carried on for two years. There could be other active exploits in the wild right now that no one in the security community knows about.

Now read:




10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something