Visited hacked site on iPhone

Talk about internet security, computer security, personal security, your social security number...
Post Reply
barbaz
Senior Member
Posts: 10830
Joined: Sat Aug 03, 2013 5:45 pm

Visited hacked site on iPhone

Post by barbaz »

Browsing on this iPhone browser (Orion) while my computer was busy, and one of the sites I visited seem to be hacked - it redirected me to some random .live site. Now sure how concerned to be about this - on the one hand, some mitigations were in place, but OTOH it's probably not as secure as my main browser with NoScript etc.

Javascript is disabled by default in this Orion browser, so AFAIK was disabled for the .live site, but it was enabled on the site that was hacked, since this is a site I've visited before & use active content there. Orion content blocking based on EasyList & EasyPrivacy was enabled, and this phone uses Quad9 DoH system-wide. iOS was updated to latest version (17.0.3) prior to this incident, as were all installed apps.

So how concerned should I be? Is there something I need to check to make sure the phone isn't infected?

Also not sure how concerned to be that this happened on the same LAN/router as our main computers are on?

Thanks for any insight.

EDIT
FWIW, I can no longer reproduce the redirection, neither on the phone nor on my computer, so assuming the site has already been cleaned up.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (iPhone; CPU iPhone OS 17_0 like Mac OS X) AppleWebKit/8616.1.27.10.16 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/8616.1.27.10.16
barbaz
Senior Member
Posts: 10830
Joined: Sat Aug 03, 2013 5:45 pm

Re: Visited hacked site on iPhone

Post by barbaz »

No one knows enough either about iOS or about these redirection type website hacks to be able to help assess how likely it is that mitigations prevented the iPhone from getting infected?

I did some web searching for what signs an iPhone might be hacked. Not seeing any of the signs I know how to check for, but I don't know how to check all of them - specifically, not sure how to check data usage when the iPhone only connects to Internet through Wi-Fi (and rarely even that, it's usually offline except for software updates). Also, since malware has sometimes been known to sit completely dormant for a long time after infection, not sure there would necessarily be any sign yet if there was an infection? Assessing along these lines is getting into the impossible task of trying to prove a negative, so would rather base assessment on what mitigations were in place.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/118.0
musonius
Master Bug Buster
Posts: 203
Joined: Sun Jul 08, 2018 5:38 pm

Re: Visited hacked site on iPhone

Post by musonius »

I don't know enough to answer your question, but I think I can say with some certainty that the best thing to do is to completely reset your iPhone to factory defaults and set it up anew if you want to be sure. I don't think you can prove that your phone has not been infected, because no one can manage the impossible task of proving a negative indeed. And checking all signs of infection always leaves a remaining uncertainty and may also take longer than setting your phone up anew.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
barbaz
Senior Member
Posts: 10830
Joined: Sat Aug 03, 2013 5:45 pm

Re: Visited hacked site on iPhone

Post by barbaz »

musonius wrote: Mon Oct 16, 2023 5:02 pm the best thing to do is to completely reset your iPhone to factory defaults and set it up anew
That's exactly the sort of thing I'm hoping is not necessary :( Setting that phone up new was a difficult multi-day process. I'm not able to put in that kind of time and effort in the foreseeable future, so if it comes down to that, we will be without this phone for a while. Also, there are no backups of this phone, so a full reset would lose some data (although AFAIK what couldn't be reconstructed is not critically important).
musonius wrote: Mon Oct 16, 2023 5:02 pm I don't think you can prove that your phone has not been infected,
This actually depends on the method of proof.

Several times, I have visited hacked sites on my main production browser on my primary system. Active content was allowed for the hacked site in some cases. But I know my system was not compromised: not only is this browser up-to-date with latest vulnerability patches, not only is it also sandboxed (both from the browser itself and externally-applied sandboxing), it additionally has NoScript + uBlock Origin + other addons applying security measures. And there are additional security layers at the system level. I understand many of the mitigations in place, and can use that understanding to know that the combination of active mitigations would've blocked the malicious activity.

The main issue here is that I lack sufficient understanding of iOS security: if I understood it better, I would know whether the setup on that iPhone would've stopped this specific type of malicious activity from doing any damage.

Failing that, maybe knowing more general details about website hacks that cause redirect to other websites would provide some insight? Which when combined with the knowledge I do have, maybe enough to be sure enough, because a malware that doesn't need to present any user-facing signal of its presence in order to do its damage would surely avoid showing any user-visible sign that something's up, wouldn't it?
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/118.0
musonius
Master Bug Buster
Posts: 203
Joined: Sun Jul 08, 2018 5:38 pm

Re: Visited hacked site on iPhone

Post by musonius »

Your primary system seems to be secure enough to be sure enough that it is not compromised after such an incident. Although I would not call that a proof, this would be good enough for me.

Unfortunately, I have insufficient understanding of iOS security. Apart from that, I assume that the bigger danger may be found at the site you got forwarded to, but that's only a guess, you are certainly much more the expert here than I am. Also, if I had to reset my iPhone, it would be annoying, but it would not take many days. I am very hesitant to use a phone for critical applications like many others do, but if it were compromised after visiting an infected page, it would matter though.

I hope you'll find more competent persons than me and wish you all the best.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
User avatar
therube
Ambassador
Posts: 7922
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Visited hacked site on iPhone

Post by therube »

(I know zilch about "phones".

I wish there were still such things. Was thinking, when I tell Verizon to go F themselves, I would say something like "you are a phone company, but, in reality, they are not. Imagine that. Your "phone" company is not a phone company.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
barbaz
Senior Member
Posts: 10830
Joined: Sat Aug 03, 2013 5:45 pm

Re: Visited hacked site on iPhone

Post by barbaz »

Found this, which helps but is partially over my head - https://help.apple.com/pdf/security/en_ ... -guide.pdf

Based on the parts of that PDF I do understand, seems highly unlikely this iPhone would've been hacked. At least, not at the system level anyway. Sounds like maybe I could assuage the potential concern just by uninstalling & reinstalling Orion browser, which I believe would also delete/reset all its data? That would be doable.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/118.0
Post Reply