Apple iPhone, famous for their locked-down security, are under threat of being hacked by simply visiting a normal looking website. Google warns 1 Billion apple users they may have been attacked and Apple’s security vulnerabilities are headline news all over again. Just days after its highly-publicized emergency iPhone patch, Google’s security researchers have published a new "website hack" warning that is a hammer blow to the locked down security reputation of the Cupertino tech giant. Worse, the warning came the very day the iPhone 11 launch was confirmed. And as security warnings go, this one is serious. A website could hack your iPhone.

Google’s Project Zero team has disclosed that a number of "hacked websites" have been used to attack iPhones for two years. And every single iPhone has been vulnerable. “There was no target discrimination,” the researchers reported, “simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.”

In the starting of this year, Apple disclosed that active install base of iPhone has reached 900 million. With a global active installed base is expected to exceed 1 billion this year, Apple’s iPhones continue to be some of the most desired smartphones worldwide. Therefore, the reported incidents of a coordinated hacking campaign attacking iOS users, undoubtedly, come as unpleasant news to the tech magnate.

Tim Cook also revealed a few more interesting facts about the company and its performance:

* The Active Install Base of Apple devices has reached an all-time high to 1.4 billion, largely due to iPhone which has an active instal base of 900 million.

* Apple has got $130 billion cash in the bank – enough to buy the world’s top two most valued startups.

Despite missing the revenue target for fiscal Q1 2019, Apple’s share rose 6% post-result announcement.

IPhone Hacking: Watering Hole Attacks

Known as watering hole attacks, these exploits can compromise the security of end-users by infecting websites and using them as bait to load malware into the victim’s device. These malware or malvertisements infect devices visiting the website. This technique is one of the most used hacking techniques today and is used to conduct identity theft and steal sensitive information from unsuspecting victims.

The threat actors used compromised websites to run watering hole attacks targeting users of iPhone devices running almost all versions between iOS 10 and iOS 12, sites that were visited thousands of times each week.

The malicious websites were in operation for at least two years, and every iPhone running iOS through iOS 12 was vulnerable to attack. In reality, that means pretty much every iPhone was vulnerable that entire time. This implies that iPhone XS, iPhone XS Max, and iPhone XR users were protected from these attacks since the JSC exploits would have "bailed out if they ran on an A12 device."

In Box: The attack could have devastating consequences. Accessing photos and messages, stealing login credentials and banking passwords, even accessing location information. And those passwords could have stored in the system, not scraped as a website was being accessed.

The problem for Apple will start, where the customers will lose the confidence on Apple. So severe is this disclosure, so damaging and intrusive the nature of the vulnerability, that it will leave users asking questions about how such a serious range of flaws could have been left open. This disclosure could well undermine that-not because of the response, but because of the severity of the vulnerability. So now we can say, every mobile phone can be cracked or hacked and nothing is secure. As published “All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly,” Google said in its disclosure, “treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”

The disclosure was published late on the day that Apple announced the launch date for the upcoming iPhone 11. Purely by coincidence, of course.

No comment on any of this as yet from Apple.

As for advice to the millions of users worried at this news? Clearly update right away-this issue was fixed, but others will have been found since. Take care with websites that are visited and apps that are downloaded. And always use common sense. Smartphones are the keys to our digital kingdoms, and should be treated as such.

These attacks are programmed to steal photos, iMessages, and live GPS location data from devices and upload them to an external server every sixty seconds. Also, the implant can gain access to the device’s keychain data which contains authentication tokens, credentials and certificates accessed by the device. Other popular end-to-end encryption apps on iOS platform like Whatsapp and Telegram are also vulnerable to these exploits.

Beer also notes that the group behind the iPhone hacking could be targeting users of iPhones in certain communities for over two years. Although no information about the hacked websites was released, Apple assures its users that the majority of these issues have been patched. iOS users are advised to update their devices to avoid such malicious hacking campaigns. Apple issued patches just a week later after Google disclosed the vulnerabilities being exploited by the hackers.

Recently, Apple is also launching a Mac bug bounty and is extending it to watchOS and its Apple TV operating system. Apple CEO Tim Cook has called privacy a "human right," amid growing security concerns in the world.

It is the same reason why, Apple had recently organised and offered $1million (£830,000) to anyone who is able to hack an iPhone in a bold test of their security systems. Apple's head of security Ivan Krstić said hackers will have a chance at winning the huge payout this autumn- a sum that is by far the highest bug bounty on offer from any major tech company. Probable, Apple wants to identify the smart hackers.