Apple is working on fixing a critical bug that has left more than half a billion iPhone users vulnerable to hacks. The exploit is triggered using malicious emails that runs a code in the default mail app that makes it possible to read, modify or delete messages.
The bug was apparently lurking for eight years and was discovered by researchers from ZecOps, a San-Francisco based mobile security company while it was investigating on a cyberattack on a client that took place in late 2019. According to a report by Reuters. The company said the bug has been exploited in at least six cybersecurity leaks previously.
Apple also acknowledged the existence of the bug in the mail app for iPhones and iPads. The company has also worked out a fix and will be rolling out to users in a forthcoming update to all devices Apple has sold.
Apple didn’t comment on the fact whether this hack can be triggered from a remote location and that it has been exploited by hackers previously. There is apparently evidence that a certain malicious program was making use of the vulnerability as far back as January 2018.
Commenting on this Satnam Narang, Principal Research Engineer at Tenable said, "The recent disclosure that multiple zero-days in the Apple iOS Mail application were exploited in the wild is significant and noteworthy. One of the flaws can be exploited without user interaction (also known as zero click) on iOS 13. The vulnerabilities also affect iOS 12, though interaction is required in most cases.
Exploitation of these flaws would allow an attacker to leak, modify or delete emails within the Mail application. However, the researchers note that combining these flaws with an unpatched kernel vulnerability would provide an attacker with full device access, though that information has not been identified as of yet.
While Apple has issued fixes for these flaws in the beta version of iOS 13.4.5, devices are still vulnerable until the final version of iOS 13.4.5 is readily available to all iOS device owners. In the interim, the only mitigation for these flaws is to disable any email accounts that are connected to the iOS Mail application, and use an alternative application, such as Microsoft Outlook or Google's GMail."
Victims of the hack would apparently receive a blank email message via the Mail app that would force it to crash and reset. This crash opens the door to let the hackers in, and steal data stored on the device like photos and contact details. The hack is present in the latest version of iOS as well. This is not the first iOS bug to have surfaced in recent years.