Hackers may be exploiting a previously unknown flaw in iOS.
On Friday, Apple issued a security patch for a vulnerability in iOS 14 that can pave the way for an attacker to run malicious code on an iPhone. “Apple is aware of a report that this issue may have been actively exploited,” the company warned.
Apple didn’t go into details, but the vulnerability deals with WebKit, the browser engine in Safari. Due to a software error, specially crafted web content can trigger WebKit to run untrusted computer code over the browser in what’s known as a universal cross site scripting attack.
A hacker could exploit the vulnerability by developing a booby-trapped website. A link to the malicious website could then be sent to unsuspecting victims on social media or via email. The other method of exploitation involves a hacker tampering with an existing website by secretly embedding the malicious web content in the page.
Through the cross-site scripting attack, a hacker could then steal the internet cookies and session tokens over a Safari browser, opening the door for account hijacking.
Two security researchers at Google discovered the vulnerability and reported it to Apple. To patch the flaw, Apple says it “improved management of object lifetimes” within WebKit.
The vulnerability affects iPhone 6s and later, all models of the iPad Pro, the iPad Air 2 and later, and the iPad 5th generation and above. The company’s patch is arriving as iOS 14.4.2 and iPadOS 14.4.2. To update your iPhone, go to Settings > General > Software Update. The device can also update automatically if you’ve toggled on automatic updates.
Apple also released a patch for watchOS. It’ll arrive as watchOS version 7.3.3.
