Google LLC’s Project Zero cybersecurity team has made an alarming discovery: a group of websites that exploited previously unknown iPhone vulnerabilities to hack Apple Inc. users.

Ian Beer, a researcher with Project Zero, detailed the hacking operation in a series of blog posts published Thursday night. The malicious sites apparently attacked any iPhone user who happened to open them and have been running for at least two years. Google estimates they received thousands of visitors per week.

The sites launched attacks by exploiting no fewer than 14 different iPhone vulnerabilities, some of which are zero-day flaws that weren’t previously known to the cybersecurity community. Seven of the bugs affected Apple’s default Safari browser for iOS. The other weaknesses were in the iOS kernel and the sandbox the operating system uses to limit apps’ access to the user’s device.

The malicious sites used the vulnerabilities as part of “five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12,” Google’s Beer wrote. “This indicated a group making a sustained effort to hack the users of iPhones in certain communities.”

The exploit chains employed different hacking methods but all had the same goal. In the event of a successful attack, the malicious sites installed a software “implant” on the victim’s iPhone that could track their location in near real time, view photos and swipe any login credentials stored on the device. The implant could even read messages in secure communication apps such as WhatsApp that employ end-to-end encryption.

The good news is that Google notified Apple of the vulnerabilities in February and the iPhone maker issued a patch shortly thereafter. However, the flaws raise some questions about Apple’s quality assurance process. Beer wrote that one of the exploit chains used an unfinished iOS feature the iPhone maker never got around to removing, while another bug exploited by the hackers could’ve been caught before release with a code assessment. 

“It’s difficult to understand how this error could be introduced into a core IPC library that shipped to end users,” Beer wrote about the second bug. “While errors are common in software development, a serious one like this should have quickly been found by a unit test, code review or even fuzzing.”

Apple has taken steps recently to more actively address potential vulnerabilities in iOS. Earlier this month, the company revealed plans to hand out specially configured test iPhones to the cybersecurity community that will enable researchers to more easily look for weaknesses. Apple has also increased the maximum payout it provides for vulnerability reports to $1 million, five times higher than what it offered in 2016. 

Image: Unsplash