Recently Google’s Project Zero unearthed several websites that injected malware on iPhones. According to the security analyst, it was one of the largest attacks against the iPhone. Now, Apple has published its rebuttal and says some of the claims made by Google are false.
According to Google’s report, the malware was “primarily focused on stealing files and uploading live location data.” Apple has released a statement that also claims some of the facts were misinterpreted by Google. For instance, the attack apparently affected less than a dozen websites that catered to the Uighur community. Apple also disputes the claim of “mass exploitation” and blames the report for “stroking fear among all iPhone users.”
Apple also establishes that website attacks were operational only for a brief period. The company claims that exploits were active for nearly two months as opposed to the two-years time period detailed on the report.
All evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.
When it comes to security it is always better to overestimate the threat and deal with diligence. In this case, Google’s Project Zero team may or may not have gotten some things wrong. However, the fact remains that researchers should keep on working to find and fix security vulnerabilities.