Rather than trying to type all the info in. This is from the Telegraph which appears to have beaten the trade sites to publish.
Hackers have been using compromised websites to install "monitoring implants" in iPhones for years, according to researchers at Google.
The unprecedented attack, which lasted 30 months, allowed cyber criminals to gather users' images, contacts, passwords and location data.
Hackers were also able to read people's messages and intercept their emails, allowing them to gain a complete overview of a target's digital life.
The websites, which haven't been named, received thousands of visitors each week according to Ian Beer from Google's Project Zero.
"There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, to install a monitoring implant," Mr Beer said.
Mr Beer said most of the security flaws were found within Safari, the default web browser on Apple devices.
Recent iPhone operating systems from iOS 10 to iOS 12 were targeted in the hack. Once installed, the malicious software "primarily focused on stealing files and uploading live location data," Beer wrote, adding it had been able to access encrypted messenger apps like Telegram, WhatsApp and iMessage.
Dr Lukasz Olejnik, a cybersecurity and privacy researcher, and research associate at the Center for Technology and Global Affairs at Oxford University, called it "a high impact, very sophisticated and efficient" attack.
"These look to be very specific, sophisticated and costly tools," he said. "This cost was unfortunately amortised by the big exposure to potentially thousands of users over years, making the price of the whole operation potentially very cost effective. In this case, even if the tools were priced at millions of pounds, the cost should no longer be seen as high."
Google said it reported the security issues to Apple on February 1. Apple then released an operating system update on February 7 which blocked the malicious software.
Security experts advise that people regularly update their phone's software so that they have the latest protection against exploits such as this.
Mr Beer said that the malicious software was not saved on Apple devices and could be removed by rebooting the phones. But hackers could still keep accessing online accounts using stolen passwords.
"Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device," he wrote.
The exploit was able to steal large amounts of people's personal data, including:
Cybersecurity expert Joseph Carson, chief security scientist at Thycotic, said it was "surprising" that the hackers used so-called "zero day" exploits which hadn't been discovered by Apple.
"Cyber criminals nor nation states will waste zero days on limited opportunistic cyberattacks," he said, "this typically means that such cyberattacks using zero days are targeted usually against a specific set of victims."
Earlier this week, Apple released an updated to its iPhone operating system which fixed an accidental security flaw.
An Apple spokesman did not respond to a request for comment.
Apple's iOS is considered one of the most secure operating systems available because both it and the devices it runs on are built and managed by Apple - with little chance for gaps to appear between hardware and software that could be exploited by hackers.
The general security of the technology giant's devices has also previously placed it at odds with intelligence services in the US.
Apple was involved in a stand-off with the FBI in 2016 over access to the phone of a terror suspect in the San Bernardino shooting in California.
The FBI had asked Apple to create a software "back-door" to get around the phone's security settings and access data on the suspect's iPhone, but the tech firm refused.
Apple argued that overall user privacy was paramount and that creating a back-door to its software could place all iPhone users at risk should the tool ever fall into the wrong hands.
Hackers have been using compromised websites to install "monitoring implants" in iPhones for years, according to researchers at Google.
The unprecedented attack, which lasted 30 months, allowed cyber criminals to gather users' images, contacts, passwords and location data.
Hackers were also able to read people's messages and intercept their emails, allowing them to gain a complete overview of a target's digital life.
The websites, which haven't been named, received thousands of visitors each week according to Ian Beer from Google's Project Zero.
"There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, to install a monitoring implant," Mr Beer said.
Mr Beer said most of the security flaws were found within Safari, the default web browser on Apple devices.
Recent iPhone operating systems from iOS 10 to iOS 12 were targeted in the hack. Once installed, the malicious software "primarily focused on stealing files and uploading live location data," Beer wrote, adding it had been able to access encrypted messenger apps like Telegram, WhatsApp and iMessage.
Dr Lukasz Olejnik, a cybersecurity and privacy researcher, and research associate at the Center for Technology and Global Affairs at Oxford University, called it "a high impact, very sophisticated and efficient" attack.
"These look to be very specific, sophisticated and costly tools," he said. "This cost was unfortunately amortised by the big exposure to potentially thousands of users over years, making the price of the whole operation potentially very cost effective. In this case, even if the tools were priced at millions of pounds, the cost should no longer be seen as high."
Google said it reported the security issues to Apple on February 1. Apple then released an operating system update on February 7 which blocked the malicious software.
Security experts advise that people regularly update their phone's software so that they have the latest protection against exploits such as this.
Mr Beer said that the malicious software was not saved on Apple devices and could be removed by rebooting the phones. But hackers could still keep accessing online accounts using stolen passwords.
"Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device," he wrote.
The exploit was able to steal large amounts of people's personal data, including:
- Passwords
- Photos
- Location data
- Emails
- Messages
- Contacts
- WiFi passwords
- The iPhone serial number
Cybersecurity expert Joseph Carson, chief security scientist at Thycotic, said it was "surprising" that the hackers used so-called "zero day" exploits which hadn't been discovered by Apple.
"Cyber criminals nor nation states will waste zero days on limited opportunistic cyberattacks," he said, "this typically means that such cyberattacks using zero days are targeted usually against a specific set of victims."
Earlier this week, Apple released an updated to its iPhone operating system which fixed an accidental security flaw.
An Apple spokesman did not respond to a request for comment.
Apple's iOS is considered one of the most secure operating systems available because both it and the devices it runs on are built and managed by Apple - with little chance for gaps to appear between hardware and software that could be exploited by hackers.
The general security of the technology giant's devices has also previously placed it at odds with intelligence services in the US.
Apple was involved in a stand-off with the FBI in 2016 over access to the phone of a terror suspect in the San Bernardino shooting in California.
The FBI had asked Apple to create a software "back-door" to get around the phone's security settings and access data on the suspect's iPhone, but the tech firm refused.
Apple argued that overall user privacy was paramount and that creating a back-door to its software could place all iPhone users at risk should the tool ever fall into the wrong hands.
