Apple Google feud iphone security, Attack affected less than a dozen websites.
Tech giants Apple and Google engaged in a rare public feud on Friday, as the iPhone maker accused the search giant of “stoking fear” when it revealed an embarrassing vulnerability that enabled hackers to gain access to sensitive consumer data.
Apple was upset with how Google’s Project Zero handled a sophisticated attack against iPhone users, saying the detailed blog a week ago “creates the false impression of ‘mass exploitation’ . . . stoking fear among all iPhone users that their devices had been compromised”.
While detailed, Project Zero’s post failed to mention which websites, or what kind of websites, were targeted, creating the impression that all iPhone users may have been targeted.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device,” Project Zero wrote in the post. “We estimate that these sites receive thousands of visitors per week.”
But the reality, Apple said, is that “fewer than a dozen websites that focus on content related to the Uighur community” were impacted. The Uighurs are a minority Muslim community who have been subject to mass surveillance and detention in China.
Both companies acknowledge a security patch was given to iPhone users in February, just days after Google alerted Apple to the vulnerability. Apple took no action at the time to notify iPhone owners of the security breach.
According to Google, hackers had the ability to read all the database files on the victim’s phone used by popular end-to-end encryption apps like WhatsApp, Telegram and iMessage.
The hack could have ramifications for Apple, which has been marketing security and privacy as a key differentiator from rivals, including Google. Apple downplayed the scale of the attack but said, “We take the safety and security of all users extremely seriously.”
Apple also took issue with Google implying the infected sites existed for two years, when “evidence indicates that these website attacks were only operational for . . . roughly two months”. However, it overlooked that the vulnerability most likely did exist for two years.
What remains unclear is whether the original attack was specific to the iPhone or was platform-agnostic malware that exposed security flaws in Google’s own Android software as well as Microsoft devices, as alleged in an article on the Forbes website and discussed in a blog from Volexity, a cyber security firm, earlier this week.
Microsoft said it was not aware of any similar attack against its devices but “should new information be disclosed, we will take appropriate action as needed to help keep customers protected”.
Google declined to comment on whether its own devices were caught up in the attack. It only said: “We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online.”