This is wild. A group was using hacked websites to indiscriminately exploit iPhones using zero-days exploits and somehow went unnoticed for years. Who says is google zero-day project – A very deep dive into iOS Exploit chains found in the wild.
The google zero project was able to accumulate five separate, total and unique iPhone exploits chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This showed a group making a sustained effort to hack the users iPhones in certain communities over a period of at least two years.
This article covers every vulnerability in detail, including root cause analysis, what steps could have been taken to prevent the bugs, and what steps should be taken to ensure they don’t happen again.
Google zero will look at how the attackers modify their exploitation techniques overtime to defeat new mitigations and investigate the capabilities of the attacker’s implant to access personal information on the exploited devices.
Unfortunately the post doesn’t list which sites were hacked, but generally, there’s only a few governments who would throw zero-days around in that manner. Maybe we are missing something, but it feels like Apple should have found this themselves. Bug bounties are cool for all, but good telemetry is significantly more important.