Security researchers have uncovered serious vulnerabilities in Apple’s native Mail application for iPhone (opens in new tab) and iPad (opens in new tab) devices that could allow hackers to scrape personal information without the victim knowing.
One of the flaws is classified as a remote zero-click, meaning the victim is infected without any interaction with a malicious download or website. In this instance, the device is infected when the user opens a rigged email delivered by the hacker.
The bugs were discovered by US-based security firm ZecOps, which published a report (opens in new tab) on Wednesday that states “with high confidence” that the newly discovered flaws have been widely exploited in the wild.
- Apple reversed plans for fully encrypted backups (opens in new tab)
- You can now use an iPhone as a Google security key (opens in new tab)
- Apple slams Google for 'stoking fear' among iPhone users (opens in new tab)
According to the report, the bugs went unnoticed for the best part of a decade, first appearing in Apple’s Mail application with iOS 6, released in 2012.
Apple security flaws
Although Apple is widely praised for its excellent digital security standards and watertight code, its devices are not invulnerable to attack.
The newly discovered flaws are labeled as zero-days (opens in new tab) (or 0-days), which means Apple was unaware of their existence and therefore powerless to prevent their exploitation. This makes the exploits highly valuable to malicious actors on underground markets - especially given the relative rarity of zero-days affecting Apple devices.
ZecOps claims it verified the flaws in a controlled lab setting after customers reported unusual device failures. The firm also reportedly uncovered evidence the exploits have been used to assault multiple high-profile targets, including employees of a Fortune 500 company and an executive at a Japanese telecoms firm.
“We are aware of multiple triggers in the wild that happened starting from Jan 2018, on iOS 11.2.2...It is possible that the attackers were using this vulnerability even earlier. We believe these attacks are correlative with at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher,” wrote ZecOps.
The company reported its finding to Apple at the end of March, with a quiet patch for both vulnerabilities issued for the beta version on April 15/16.
“To mitigate these issues - you can use the latest beta available. If using a beta version is not possible, consider disabling Mail application and use Outlook or Gmail that are not vulnerable,” ZecOps advised.
Apple did not respond immediately to our request for comment, but the firm is expected to roll out a widespread fix for the millions of affected devices in due course.
- Here's our list of the best antivirus services (opens in new tab) on the market