Google’s Project Zero team said it found gaping security holes in iPhone software that left users exposed to hackers before Apple fixed the flaws earlier this year.
Project Zero released a report on the flaws for the first time Thursday night. The team’s Threat Analysis Group found 14 different exploits that hackers used to gain private data, including photos, messages, contacts and real-time location information from iPhones.
iPhone users were affected by visiting a handful of hacked websites, which could have impacted “thousands of visitors per week,” Project Zero’s Ian Beer wrote.
No specific group of users was targeted, the report said. The unnamed websites could attack a visitor’s device by installing “a monitoring implant.”
iPhone security flaws and Apple’s privacy vigilance
“Working with TAG, we discovered exploits for a total of 14 vulnerabilities across the five exploit chains: seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes,” the report said. “We reported these issues to Apple with a seven-day deadline on 1 Feb. 2019, which resulted in the out-of-band release of iOS 12.1.4 on 7 Feb. 2019. We also shared the complete details with Apple.”
The severity of the breach comes on the eve of a new line of iPhones Apple is expected to unveil on Sept. 10.
The news also follows a rare Apple apology. Users learned Apple hired people to monitor Siri voice commands for quality control. Apple says it will reinforce privacy protection by giving users a choice to opt-in.
Apple, especially CEO Tim Cook, boast often about the security Apple users can expect from their devices. Ad campaigns often focus on privacy. For the Consumer Electronics Show in Las Vegas this year, Apple playfully jabbed at its competitors with a billboard that read, “What happens on your iPhone, stays on your iPhone.”
Apple has not commented on the Project Zero disclosure.