Vulnerability in iOS two years allowed to merge passwords and photo

Уязвимость в iOS два года позволяла сливать пароли и фото

The most critical iPhone vulnerability was not noticed for two years

At the time of publication all vulnerabilities were fixed by security updates in Apple products.

Researchers in the field of information security from Google Project Zero found a group of sites with code that allows through the browser on iPhone to install the program, receiving the root-rights and uploads to remote server sensitive data, including passwords, location data and photos, writes N+1.

Attackers have developed at least five attacks based on 14 vulnerabilities, and they were active for more than two years, and one of them worked on the current version of iOS 12 up to detection. At the time of publication all vulnerabilities were fixed by security updates.

August 29, 2019, researchers from Project Zero has released information about the discovery of a number of critical zero-day vulnerabilities that were used in practice for at least two years.

In a study published in February reported that to Apple, so the company fixed the vulnerability before the public disclosure.

The researchers found a small group of hacked websites that contain code to hack iPhone through Safari browser. Technically the vulnerabilities have been exposed and other browsers as well as iPad, because iOS developers can only use the system WebKit engine, but the researchers say that the attack was aimed at the iPhone and Safari.

The researchers found that the malicious program is activated every minute and sends to remote server data popular instant messengers such as WhatsApp, iMessage and Telegram, and decrypted.

In addition, she sends all the pictures from the gallery and location, and also copies passwords and keys from the built in iOS password Manager keychain that allows hackers to access multiple user accounts.

The study authors noted that all of the discovered vulnerabilities have already been fixed by Apple and they are useless against devices based on CPU A12 (iPhone XS and XR), because it Apple has implemented a new protection against attacks on the JIT compiler.

Earlier it was reported that Apple warned the owners of smart hours Apple Watch with aluminum hulls about the possible risk of emergence of specific cracks in the screens of gadgets.

News from the Telegram. Subscribe to our channel