iPhone Exploit DarkSword Steals Data In Minutes With No Trace (nerds.xyz)
- Reference: 0181038938
- News link: https://apple.slashdot.org/story/26/03/19/006207/iphone-exploit-darksword-steals-data-in-minutes-with-no-trace
- Source link: https://nerds.xyz/2026/03/darksword-ios-exploit/
> A new iOS exploit chain called [2]DarkSword shows how attackers can break into certain iPhones, grab sensitive data like messages, credentials, and even crypto wallets, and [3]then disappear without leaving obvious traces . It targets older iOS 18 builds using Safari and WebGPU flaws to escape Apple's sandbox, which is pretty wild on its own, but what really stands out is how fast it works and how financially motivated these attacks have become. The takeaway is simple but important, update your iPhone ASAP and don't assume mobile devices are somehow safer than desktops anymore.
[1] https://slashdot.org/~BrianFagioli
[2] https://www.lookout.com/threat-intelligence/article/darksword
[3] https://nerds.xyz/2026/03/darksword-ios-exploit/
Er (Score:5, Insightful)
> and then disappear without leaving obvious traces.
Er, do attackers normally leave a handy log of traces?
> and don't assume mobile devices are somehow safer than desktops anymore
Was ... somebody assuming that? Why?
Re: (Score:2)
Yes, I was wondering the samer things. Quality "journalism" brought to you by a "technology journalist".
Re: (Score:2)
That appears to be a problem with the summary - the original articles (I must admit I did not read all of the first one) seem to be written by people who have a better idea of what they are talking about.
Re: (Score:2)
>> and don't assume mobile devices are somehow safer than desktops anymore
> Was ... somebody assuming that? Why?
Well, my manager at a Fortune 500 company about 8 years ago assumed/believed that. He was a good manager and had real IT experience. He wasn't a paper pusher who got into IT management. I was floored when he told me he believed accessing stuff via an iPhone was much safer than using a PC. I told him my assumption was the exact opposite. I asked him why he believed that and he said he just assumed various app makers simply had to make their apps more secure because people were moving away from using
Re: Er (Score:2)
Persistent malware by definition leaves code on the target so it can reload after a reboot.
What they call memory resident doesn't leave code on the device and therefore doesn't persist across reboots.
Re: (Score:2)
> Er, do attackers normally leave a handy log of traces?
They do not purposefully leave traces; but breaches can leave traces. Your assumption was traces were left on purpose which is not the normal case.
> Was ... somebody assuming that? Why?
Applications are more curated on phones than on desktops. Phones are by nature more locked down including use of security chips like iPhone's Secure Enclave, Google's Titan M2, and Samsung's Knox Vault . Desktops have been more open which is why people use them. One of the main reasons Windows 11 cannot be used on some older hardware is that the hardware lacks an
Re: (Score:2)
Even if they left a 479 page manifesto and a step by step log of everything they did you probably wouldn't be able to access whatever folder it was in without jailbreaking the device.
Who thinks mobile devices are secure? (Score:5, Interesting)
That sounds to me like a childish belief. What mobile devices get you is a second computer that is not easily associated with your first one for an attacker (if you are careful). But they are just computers. Not special in any way except for the from-factor.
I guess too many people still see tech as "magic".
Re: (Score:2)
I assume my phone is less secure than my desktop, because it's less frequently updated and probably a preferential target.
Re: (Score:2)
> I assume my phone is less secure than my desktop, because it's less frequently updated and probably a preferential target.
And fscking impossible to firewall properly. I've never tried with an apple phone but an android phone with always on VPN will still bypass the VPN when it feels like because "the OS is too important to be inconvenienced by such things"
The easiest way to see this happening is to remove the sim, so it has no mobile data at all, connect to wifi and turn on always on VPN.
Then monitor for tr
Re: (Score:2)
Disable JS in Safari and these exploits don't work.
Re: (Score:2)
> Disable JS in Safari and these exploits don't work.
Neither do most websites.
Re:Who thinks mobile devices are secure? (Score:5, Informative)
> Who thinks mobile devices are secure? That sounds to me like a childish belief. [...] I guess too many people still see tech as "magic".
Banks think mobile devices are secure. That's why they will let you upload a check image from your bank app but not from your desktop where you scanned it at high enough resolution to see security features.
Re: (Score:2)
> Banks think mobile devices are secure. That's why they will let you upload a check image from your bank app but not from your desktop where you scanned it at high enough resolution to see security features.
From the use of the historic concept of a "Cheque" (I assume auto-correct made that into "check") I assume you are talking about US banks? For some European banks I know, they assume a large faction of phones are compromised. They do assume the compromise is more limited on a phone and they scan for malware (as much as a single app is allowed to), but basically they just use the phone as 2nd factor where an attacker would have to compromise both devices to really gain anything. But they carefully monitor th
Re: (Score:3)
> From the use of the historic concept of a "Cheque" (I assume auto-correct made that into "check")
No, that's how we spell it in American English, the language spoken where this site was created and is hosted.
> I assume you are talking about US banks?
That part is correct.
> For some European banks I know, they assume a large faction of phones are compromised. They do assume the compromise is more limited on a phone
Womp womp
Re: (Score:2)
While cheque is the standard in British English, the original spelling was check, and the Oxford Dictionary still recognizes that.
Personally I prefer Oxford spelling, e.g. "recognize". It has the added benefit of not instantly identifying me as British online.
Re: (Score:2)
I personally don't care which people use, I can read either one just fine without confusion. I just don't want to be told that I'm using the wrong word or whatever when that's clearly not so.
Re: (Score:2)
> Technically a check is anything, so scanning those 'security features' isn't really relevant. You can write a check on a bar napkin, as long as all the required fields are present, routing numbers, account number, name, amount as text, amount numeric, date, and signature banks will often honor them. Although if it is something goofy like a bar napkin usually only in person and after a tedious conversation with the branch manager and if you have some long established relationship with the bank..
All of which is a long winded way to say that the security features are relevant, because you can't just send in a scan of a check written on a bar napkin.
Re: (Score:2)
I believe they are called Czechs. At least now that the republic doesn't also include Slovakia.
Who thinks banks need to care? (Score:2)
>> Who thinks mobile devices are secure? That sounds to me like a childish belief. [...] I guess too many people still see tech as "magic".
> Banks think mobile devices are secure. That's why they will let you upload a check image from your bank app but not from your desktop where you scanned it at high enough resolution to see security features.
The real reason? Banks hold ZERO liability regarding your personal device. Has almost nothing to do with security.
If they were actually liable, they would make you walk into a bank to deposit a check. Where they would check an approved form of ID in person, and perform additional analysis on the check itself to ensure it was valid. A process approved in triplicate by their liability mitigation department.
Right now banks can't even handle a small bank run. In the end, I doubt even that fancy FDIC placa
Re: (Score:1)
> I guess too many people still see tech as "magic".
No. Most people (including IT) more see that device as far more locked down. Go figure the overwhelming majority of people feel that way when root or admin rights an iPhone hasn't been reduced to a right-click option or pop-up approval for just any fucking moron user to click on.
Why do you think they've lasted this long in the corporate world? Side-loading hacker-friendly OSes were NOT going to make Crackberry execs feel secure.
Re: (Score:3)
They aren't general purpose personal computer, but somewhat specialized devices. The software one could install on a smartphone has normally a standard installation from a store and it's suppose that it's more curated than the average downloaded package. In other terms because a smartphone it's more limited, there are lesser ways to compromise it compared to a PC, especially if both are used by not tech savvy people.
Re: (Score:2)
The main reason banks trust phones more is because Android and iOS both have decent mechanisms for detecting when apps and the OS have been altered. The reason your banking app takes so long to start up is because the OS is verifying that both the OS itself and the app are functioning as intended.
If you root your Android device you will find that many such apps refuse to work.
Nota Bene (Score:5, Insightful)
> don't assume mobile devices are somehow safer than desktops anymore
Both iOS and Android are full-fledged operating systems, and the only reason they are considered safer than desktop operating systems is because their application stores are somewhat curated. That's it.
Their software stacks are very similar to desktop operating systems, except they both strip you of superuser rights by default. That doesn't mean their kernels and user space are significantly more secure; they're just a tad different.
Not updating either of them is like leaving your house key out in the open.
Re: (Score:3)
There's more to it than just 'smaller'. Cellphone OS are designed to provide a smaller attack surfaces. They provide less access (iOS provides no conventional user-visible file system) in exchange for that security.
But consider: Here an iOS vulnerability makes headlines. A new Windows vulnerability is just "meh".
I find it interesting that some here would want operating system vendors to be legally liable for security vulnerabilities? Will they also accept legal liability for bugs in their own applicati
Re: (Score:2)
> Both iOS and Android are full-fledged operating systems, and the only reason they are considered safer than desktop operating systems is because their application stores are somewhat curated. That's it.
Smartphones and their OSes use security chips whereas desktops are only now implementing those features. One of the pain points of Windows 11 upgrades was the TPM requirement.
How about we recycle old devices? (Score:2, Insightful)
How about we present the message: recycle old devices that cannot be updated anymore?
Apple does not back port all fixes. They only fully update their latest OS.
Re: (Score:1, Insightful)
> How about we present the message: recycle old devices that cannot be updated anymore?
> Apple does not back port all fixes. They only fully update their latest OS.
How about we stop allowing corporations to do that? They are legal fictions which exist at the pleasure of The People, and if we stop bending over for them, we can bring them to heel. They should not be allowed to abandon devices they could easily support when any significant number of people are still using them. The only reason corporate charters are supposed to exist is to serve the public interest.
Oh look, cuckery (Score:1)
I love it when I get modded down for saying that we should expect legal institutions to function in our favor. It lets me know I've triggered a class traitor and I should double down.
Re: (Score:1)
> Oh would you stop complaining like the big cry baby you are, always complaining about everything?
No, because it works. Telling me not to do things which work is stupid. You're stupid.
> Anyway, as a distinguished member or the rsilvergun Chinese troll farm
You troll farmers always cry troll farm. If you were a real person you wouldn't post anonymously.
Re: (Score:1)
> The person who posts 24/7 on Slashdot complaining that a stupid opinion didn't get modded up?
Oh look, you can't read.
> Uh, you must new here?
Oh look, you can't write, either.
This is even dumber than your other comment about this, where you give Apple a handy even though they will never ever appreciate you. Notice me Apple-Senpai!
Re: (Score:2)
Apple was the context of the other post, but you were modded down for a stupid comment and not because of anything about Apple.
I'm still curious to see your answer.
Re: (Score:2)
> Apple was the context of the other post
Yes, that's what I said. Guess you just learned to read. Now if you could learn not to simp for corporations you'd really be getting somewhere.
Re: Oh look, cuckery (Score:2)
Why donĂ¢(TM)t the people who run those companies have the right to decide how to invest their resources?
It costs money to patch obsolete stuff
Re: (Score:2)
Who's the "our" in whose favor the institutions should work? If you mean "the people" generally, then you have to account for how many of them also comprise the corporations you're talking about. And given how people have a natural right to decide who their work benefits, it looks to me like we already have the system you're asking for.
Re:How about we recycle old devices? (Score:5, Informative)
> How about we stop allowing corporations to do that? They are legal fictions which exist at the pleasure of The People, and if we stop bending over for them, we can bring them to heel. They should not be allowed to abandon devices they could easily support when any significant number of people are still using them. The only reason corporate charters are supposed to exist is to serve the public interest.
According to Apple, as of February 2026, 90% of all currently running iOS devices are on either iOS 26 (current release) or iOS 18 (previous release), while 10% are running something earlier.
iOS 15, 16, and 17 covers ~10% of all iOS users and are all actively patched for security bugs. (Presumably there is a tiny fraction of people running something before iOS 15.)
iOS 15 supports iPhone 6s devices first released in 2015.
So, Apple is supporting their iPhone hardware for at least 11 years right now.
Now, how much further would you, Drinkypoo, force them to make updates for? Should it go all the way back to iOS 1 in 2007? Sure, only a few hobbyists may be running those devices, but what does that matter. Does your dictat apply to all companies that release software packages? Should every company that has ever released a piece of software be forced to patch _every revision level_, separately, forever? How do you define what they could "easily support" and "any significant number of people"? I'm really curious how you imagine your system working. It sure sounds like it would put a lot of small and open source developers out of business.
Re: (Score:1)
> Now, how much further would you, Drinkypoo, force them to make updates for?
Which word in "They should not be allowed to abandon devices they could easily support when any significant number of people are still using them" confused you? No, don't tell me. Look it up.
Re: (Score:3)
Sure, since you missed it in my post, here's what I already asked you:
> How do you define what they could "easily support" and "any significant number of people"? I'm really curious how you imagine your system working. It sure sounds like it would put a lot of small and open source developers out of business.
From your post, directly replying to OP about Apple, it's clear that you believe Apple is egregiously guilty of breaking your rules and "we [need to] stop bending over for them, we [need to] bring them to heel." (Nice.) Apple currently supports 11+ years of devices and 5 major OS software revisions. Well under 1% of iOS users are running something that is not currently supported.
So, what can Apple "easily support" that they are not curren
Re: (Score:1)
> Apple currently supports 11+ years of devices and 5 major OS software revisions.
First, both of those numbers are irrelevant. If Apple is popular then there will be more devices to support. Second, Apple doesn't support all of those revisions on all devices. Third, Apple can easily support all of the devices, because they have all of the necessary information. Fourth, stop asking stupid questions, you're exactly like the people saying "how much do you think a living wage is" when that's completely beside the point of the argument.
Re: (Score:3)
So, you jump into a thread specifically about Apple supporting old devices but next you say "numbers are irrelevant" when they don't match your narrative. You make bombastic claims like "if we stop bending over for them, we can bring them to heel. They should not be allowed to abandon devices they could easily support when any significant number of people are still using them" but won't even attempt to articulate what your demand actually is. Seemingly, supporting 11+ year old devices and 5 major OS revisio
Re: (Score:2)
Sadly, we cannot stop them any longer, they have become to powerful. Corporations may be legal fiction however classism and corruption are not. Given that the upper class owns the governments and the courts, there is no effective way to constrain transnational corporations. Indeed, such legal machinations were designed to allow the upper class to act with impunity. This is how the entitled turned our democracies into thier global plutocracy.
This always ends the same way, an internal ethical rot that destroy
Re: (Score:2)
I just received an iOS 16 patch for my iPhone 8 yesterday. This model was released in 2017.
Re: (Score:1)
They DO appear to do that if the problem is bad enough, but I'm still going to keep telling people to stop using things after they stop getting regular updates. [1]https://www.neowin.net/news/ap... [neowin.net] Android too, if that last security update is a ways back.
[1] https://www.neowin.net/news/apple-releases-ios-1587-and-ios-16715-for-older-devices-to-patch-the-coruna-exploit/
Re: (Score:2)
> Apple does not back port all fixes.
And you know this ... How, exactly ?
My ten year old iphone SE first gen is capped on ios 15. It just received a security update this week.
That's TEN YEARS of support for security updates.
Re: (Score:2)
You working for Apple? We don't need cell phones every two years anymore. Our throwaway society is costly
Re: (Score:2)
How about we present the message: "it is fraud to advertise a device as suitable for use on the internet unless you are committing to fixing any critical security flaws found on it for the lifetime of that device".