According to research published by ZecOps on Wednesday, a mobile safety firm, there is a bug in the Mail app in iPhones and iPads. This makes Apple’s devices vulnerable to hackers. This bug had not been reported previously to Apple, until in March, when it was reported by ZecOps.
To take advantage of this flaw, hackers would send a blank e-mail to an iPhone or iPad users Mail account. On opening the email, the app would crash, causing users to reboot. While reboot, hackers would be able to gain access to data on the device.
What makes this attack unique is the fact that users do not need to download any external software or visit a website that contains malware. Usually, hackers need action from the victim in order to trace the origin of the attack.
ZecOps said that hackers could take advantage of the bug even on recent versions of iOS. Furthermore, they suspect that at least six high-profile targets were victims of the exploit. Employees of technology companies in Saudi Arabia and Israel, a European journalist and an individual in Germany are also victims of this exploit.
ZecOps is refusing to reveal the names of other victims because of privacy reasons. In addition to this, they have said that they were not able to search for the malicious code because the emails are suspected to be deleted by the hackers.
The report says, “The attack’s scope consists of sending a specially crafted email to a victim’s mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or mailed on iOS 13.” According to ZecOps, this vulnerability has existed since 2012, with the iOS 6 update.
At this time, however, it does not seem that ZecOps has public evidence of the exploits being used. Consequently, some security researchers have questioned the authenticity of the claim, including Jann Horn, a researcher for Google’s Project Zero cyber security project:
After being altered to suspicious crashes on customers’ iPhones, ZecOps reproduced the results of the hack in its lab. Next, it reported the exploits in the previous month to Apple. ZecOps says Apple already patched the vulnerability in the most recent beta release of iOS. The fixed version will come for the non-beta version of iOS. This will come in an update to all users in the following weeks. Apple has refused to comment on its findings.
Lastly, ZecOps says, “To mitigate these issues — you can use the latest beta available. If using a beta version is not possible, consider disabling Mail application and use Outlook or Gmail that are not vulnerable.”