On 29 August, the Google Project Zero team published a rather alarming blog post highlighting a series of exploits targeting iPhone users. According to Google, the exploit spread via infected websites. Simply visiting a site was enough to compromise a phone’s security.
Infected phones would divulge a wealth of personal information on the user, including messages, location data, and more. Google claimed that “thousands of users” visited the infected sites. The report did add that the attack looked like a state-sponsored attack as the exploits targeted sites sharing information on China’s persecuted Uighur Muslim community.
Google claims to have reported the exploits to Apple and to have given them seven days to fix the issue. Apple fixed the issue in update iOS 12.1.4, which arrived on 7 February.
Apple has now hit back at Google and disputes Google’s version of the timeline, essentially claiming that the Project Zero blog was alarmist and misrepresented the scope of the attack.
In a statement issued to the public, Apple explains that the attack was very targeted and affected less than a dozen sites focused on the Uighur community. The attack was not indiscriminate and did not target users worldwide.
Apple also claims that its engineers had already identified the attack and had started work on it before it was reported to them by Google. Apparently, the vulnerabilities were patched within 10 days of the attacks being discovered. Google’s report arrived while Apple was working on a fix.
Specifically, Apple notes that:
Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.