In a worrying development for digital privacy supporters and iPhone owners everywhere, researchers this week showed that a previously unknown iPhone flaw had been employed to hack two European journalists using spyware produced by surveillance technology firm Paragon. Apple, now in the spotlight, has since admitted that it silently repaired the exploited bug in a previous update, iOS 18.3.1, released on 10th February.

The exploit itself, now publicly outlined in Apple’s new security advisory, was a logic error in iOS’s handling of malicious media that was distributed via iCloud Links. The error allowed attackers to deploy spyware on affected iPhones silently through specially created images or videos, using a vector that was previously not mentioned. The now-updated advisory reads,

“A logic issue existed when processing a maliciously crafted photo or video shared via an iCloud Link. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals”.

Citizen Lab Exposes

Citizen Lab, a respected digital rights research organization at the University of Toronto, published its report on Thursday, detailing how this exploit was misused in a covert, high-stakes cyber operation. Apple confirmed that the bug had been fixed in February but had not been made public until now.

The researchers have named two persons as confirmed victims, Italian reporter Ciro Pellegrino and another unidentified but a “prominent” European reporter. Both were attacked with Graphite, which is a spyware software created by Paragon, a surveillance firm that has become increasingly active recently.

Apple Fixes Silently

Interestingly, when iOS 18.3.1 was published on February 10, Apple’s security advisory mentioned only one unrelated flaw, which was a vulnerability that enables attackers to compromise iPhone security measures. The newly disclosed vulnerability was not mentioned until this Thursday, nearly four months after it had been addressed.

Apple hasn’t made public the reason for the delay in releasing details of the bug. When questioned by journalists about it, the company remained silent. All this secrecy is drawing attention, particularly as the company has taken to positioning itself as a privacy-oriented tech company.

Spyware War on Journalism

The news fuels the mounting alarm surrounding commercial spyware and its deployment against journalists, dissidents, and activists. In January, WhatsApp had already informed approximately 90 users, including human rights defenders and members of the press, that they were targeted with Paragon’s spyware.

In April, Apple later started sending threat notifications to some users, alerting them that their devices could have been infected by mercenary spyware. Apple did not go as far as identifying the spyware vendor, but Thursday’s report substantiates that at least two of those notifications were attributed to Paragon’s Graphite tool.

It is not certain whether all of those Apple users who were notified of these threats, apparently numbering 100 countries, were targeted through Graphite or a combination of spyware. Apple alert said that “today’s notification is being sent to affected users in 100 countries.”

Users’ Trust is Effected

This recent revelation supports the notion that no platform, however secure its brand, is safe from advanced state-level spying. Even though Apple did take steps to limit the bug earlier, the delayed disclosure undermines efforts to sustain user trust in an era growing increasingly nervous about covert digital incursions. Additionally, the fact that this exploit was aimed at journalists, who are fundamental in ensuring democratic transparency, raises serious issues concerning how spyware companies are acting with impunity and how technology giants are dealing with the information war being unleashed against them.

For a corporation that hawks privacy as a product, transparency shouldn’t be an afterthought. At a moment when reporters are emerging as frontline victims in the war for information, Big Tech has a responsibility to lead not just with encryption, but with integrity as well. Consumers don’t simply require protection; they also require the truth.