Apple’s iOS Mail app, which comes pre-installed on all iOS devices, has been found to contain two severe security vulnerabilities that, if exploited, could enable hackers to steal the victims’ data.
In fact, the attackers have leveraged these flaws for attacks against various targets, including a European journalist, a Japanese executive, and individuals from an undisclosed Fortune 500 company among others, said ZecOps researchers, who uncovered the flaws. Some of the attacks are thought to go back all the way to January 2018.
“Successful exploitation of this vulnerability would allow the attacker to leak, modify, and delete emails. Additional kernel vulnerability would provide full device access – we suspect that these attackers had another vulnerability,” said the company.
The security flaws allow attackers to remotely compromise a device by sending an email that will consume high amounts of the device's memory – without actually requiring a large email to do so. The vulnerability can be triggered before the whole email is downloaded, although the trigger varies depending on the iOS version the device is running.
On devices running iOS 13, the vulnerability is triggered by an unassisted attack, also known as a ‘zero-click’ attack, which means the Mail app has to be running in the background. On iOS 12, meanwhile, the victim would have to click on the email. These aren’t the only two iOS versions vulnerable; devices running iOS 6 and above are all susceptible to the attack, while older versions haven’t been checked.
Once the vulnerability has been exploited, on iOS 12 the email app would appear to be sluggish and sometimes even crash. On iOS 13, it would manifest as a temporary slowdown of the mail app. In case of a failed attack, the emails sent by the hacker would show “This message has no content.”
ESET Security Specialist Jake Moore said that the flaw is unlikely to have been used to target people en masse: “For complete remote access to occur under the radar it will have most likely been used for highly-targeted attacks on high-profile victims. Although this is a very professionally designed secret hack, it would be very unlikely that it was used en masse. Some flaws are kept even further underground amongst cybercriminals and keep certain exclusive vulnerabilities to themselves, so law enforcement and developers are kept in the dark – hence this particular defect has not been spotted for years. This particular flaw will be patched in the next update, so make sure you have your phone set to auto-update to the next version.”
The researchers alerted Apple to the two vulnerabilities and it has developed a fix that is currently available as iOS 13.4.5 beta. As a result, the patch is not readily available yet, since beta versions are mainly aimed at developers. For the time being, you can mitigate the issue by using other email clients.
Last year, Apple had to rush a fix for a FaceTime spying bug.