There is a newly unearthed bug in the built-in Mail app for iPhones that could allow an attacker to read, modify and delete emails, say researchers.
According to The Guardian, Apple says it will patch this vulnerability in the next version of iOS – 13.4.5 – and that users of the beta software are already protected. But until that update is made available to the general public or every other iPhone that uses the app is vulnerable to attack. The contents of their emails can be stolen.
This is a particularly severe bug for a number of reasons, according to security company ZecOps which published the details of its findings this week: there is no available public fix for this flaw. Furthermore, the exploit affects every version of iPhone from 6 upwards. Users need not use the Mail app to have their emails hacked. The flaw was discovered in use by real-world attackers dating back to January 2018.[Tweet “The exploit affects every version of #iPhone from 6 upwards. Users need not use the Mail app to have their emails hacked.”]
Until the vulnerability is patched, ZecOps recommends that users “consider disabling the Mail application and use Outlook or Gmail” instead.
The attack works by sending specially crafted emails that flood the memory of a device, allowing the attacker to break out of the protections that Apple normally puts in place to prevent Mail accidentally running malicious code.
Jake Moore, a cybersecurity specialist at internet security firm Eset, says that the flaw contains enough limitations as to not be so widely exploited. Each email would need to be specifically crafted for a single target, rather than a “mass hack” affecting thousands of people, he says.
“It is somewhat disconcerting at how easy it seems to have been to remotely exfiltrate private data from Apple devices,” he says.
By examining its logs of email traffic, the security researchers say they have found at least six instances when they believe the bug was actively exploited, with targets including a European journalist, a German “VIP” and individuals from a “Fortune 500 organisation in North America”.
Since the attacker in question gains the ability to delete emails, they can delete the email sent to trigger the exploit, effectively covering their tracks.
Interestingly, ZecOps also says it believed the attacks were carried out by “at least one nation-state threat operator”, but declined to identify any country.
Apple has since declined to comment.
Edited by Luis Monzon
Follow Luis Monzon on Twitter
Follow IT News Africa on Twitter