Apple Sets the Record Straight About the Latest Watering Hole Operation

Last updated September 23, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

Apple has finally issued a response to the Google Project Zero revelations, reassuring its customers that the level of security in the iOS has not suddenly deteriorated. Last week, Google’s Project Zero published a detailed blog post were staggering revelations about the exploiting of iOS zero-days were presented. According to what Google laid out, the malicious set of websites were actively targeting a wide range of Apple devices using exploit chains that worked with all versions of iOS. Two of the vulnerabilities were unfixed flaws at the time of their discovery.

A few days after the post was published, it was discovered that the operation was targeting Uyghur Muslims and that the actors were likely backed by the Chinese state. Apple is based on this detail to explain that the operation wasn’t a massive or even a remotely large-scale campaign against their customers. Moreover, while Project Zero said that the operation has been going on since 2016, Apple is now touting that this information is misleading. As they point out, the evidence indicates that the malicious websites were only operational for roughly two months, so the part that suggests years of continuous exploitation is misleading.

In addition to this, Apple claims that when the Google Project Zero researchers approached to inform them about the unfixed flaws, they were already in the process of fixing the vulnerabilities. This is proven by the fact that they plugged the problems within just ten days. Their response was rapid, so the number of people who fell victims to this operation drops even more. Finally, Apple closes its statement by saying that iOS security remains unmatched and that they constantly iterate to introduce new protections and patch any flaws as soon as they are found.

Google and Apple are fierce competitors in the mobile OS space, so security revelations have marketing extensions and also consequences. Whatever the case really is with the presented operation, Project Zero’s post was enough to damage Apple’s image, implying that a group of actors could steal sensitive user data from any iPhone since 2016. They also warned about the possibility of more operations of this type that they haven’t discovered yet. While some parts of this report could be a bit magnified or somewhat exaggerated, technically speaking, the flaws were there, and the actors did leverage them. For how long this went on and how many fell into the watering hole, is another matter.

Do you think that Apple is right to play down this incident, or are they indulging in damage limitation? Let us know of your opinion in the comments down below, and also on our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: