Google blog post didn’t say how they found the infected website(s) using the iOS zero-days. But I’m sitting here thinking, again, that after $127B in annual InfoSec spending, it was an advertising platform that found it... and not a security vendor. Threat intel or otherwise.
-
Show this thread
-
While we don’t yet know who the threat-actor is being the iOS watering hole attack, or their motivation, but they know their tools have been discovered and activity made public... what might they be doing right now to protect themselves or their operations?
3 replies 10 retweets 28 likesShow this thread -
Step 1. Crawl the Internet searching for infected websites spraying iOS zero-days. Step 2. Submit to Apple Step 3. Profit (7-figures)
4 replies 9 retweets 43 likesShow this thread -
What are the chances that there are other websites out there, right now, spraying a completely different collection of iOS zero-days? It would have to be non-zero right?
5 replies 5 retweets 43 likesShow this thread -
When/if we learn who the threat actors are, the URLs to the infected websites, and who the intended targets may have been... this story could get way crazy.
2 replies 5 retweets 28 likesShow this thread -
2 replies 3 retweets 16 likesShow this thread -
I forgot to say that this is stelar work by Google's Threat Analysis Group and an incredible contribution. All the credit in the world to these guys.
1 reply 5 retweets 57 likesShow this thread -
@thegrugq@daveaitel possible (or likely) that these exploits where previously used in more highly targeted attacks, and that they then purposely burnt them in a wider attack to cover their tracks? Or something along those lines.2 replies 0 retweets 24 likesShow this thread -
Now just imagine if we (and Mozilla, etc.) were allowed to ship a real browser to help folks cope. It seems absolutely mad that Apple concentrates the reputation risk ala IE6.
1 reply 0 retweets 0 likes -
Then are we back to discussing how when browsers break the web, they risk negatively impacting their marketshare? Seems to always be the core issue in browser security & privacy.
1 reply 0 retweets 0 likes
Browsers have 2 decades of history of being willing to break the web to fox security -- it's job zero. On most OSes, that was backstopped by real competition. iOS is uniquely anti-market-for-quality in this regard.
-
-
Replying to @slightlylate @jeremiahg and
...and it's not like they're using that position to lead the web to better, more competitive outcomes: http://web-confluence.appspot.com/
1 reply 0 retweets 0 likes -
Replying to @slightlylate @jeremiahg and
If they wanted to catch up and be a high-quality implementation of the web, Apple could double the size of the WebKit team overnight, give everyone who has held on through lean staffing times a raise (and well-deserved bonus)...and not even notice:https://www.cnbc.com/2019/01/29/apple-now-has-tk-cash-on-hand.html …
1 reply 0 retweets 3 likes - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
& Web Standards TL; Blink API OWNER
Named PWAs w/
DMs open. Tweets my own; press@google.com for official comms.
