Your iPhone has probably been hacked. What? Oh, sorry it’s fixed now. Sorry, didn’t mean to scare you. Researchers from Google’s project zero posted a write up detailing a system of websites that attacked any iPhone that visited them by taking advantage of 14 different exploits.
The researchers estimate that the site’s received thousands of visitors a week for at least two years and if an attack was successful an affected iPhone would be implanted with an hour that would steal files location data usernames and passwords to passwords.
The iOS security flaws have now been fixed after Google disclosed the issue to Apple in February but the attackers could still have that data that they harvested from hundreds of thousands of iPhones so I guess what happens on your iPhone might very well stay on your iPhone as long as you don’t go on the Internet…
According to a deep-dive blog post published by Project Zero researcher Ian Beer, only two of the 14 security vulnerabilities were zero-days, CVE-2019-7287 and CVE-2019-7286, and unpatched at the time of discovery.
The spyware implant also stole the database files from the victim’s device used by popular end-to-end encryption apps like Whatsapp, Telegram, and iMessage to store data, including private chats in the plaintext.
Alternatively, as Beer explains, the attackers may “nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device.”