Hackers Have Been Exploiting This Serious iOS Security Flaw for Years

2 Min Read Published: Apr 22nd, 2020

Text Size

- +

Toggle Dark Mode

Millions of iPhones and iPads are vulnerable to a security flaw that may have been present in iOS for years, reports Reuters. The flaw recently was uncovered by ZecOps, a mobile security forensics company operating out of San Francisco. This flaw affects millions of iPhones and iPad and has been around since iOS 6 and the iPhone 5.

Zuk Avraham, CEO of ZecOps, described the exploit and his company’s research into the flaw in a blog post this week. The flaw was discovered while the company was investigating a cyberattack against a client that occurred in late 2019.

Based on his research, Avraham believes this vulnerability was used in at least six previous hacking attempts dating back to January 2018.

These 0 click vulnerabilities that had in the wild triggers exists on iOS since (hold your breath)… iOS 6!! This is one of the deepest vulnerabilities ever discovered on mobile (including Android). https://t.co/4mjXsPfrKM
— Zuk (@ihackbanme) April 22, 2020

Mail App Is the Culprit

The flaw can be accessed remotely via the Mail app and has been used against high-profile iOS users, claims Avraham. These users include an employee at an unnamed Fortune 500 North American technology company as well as high-profile employees at companies in Japan, Germany, Saudi Arabia, and Israel.

According to Avraham, users would be sent an email that appeared to be blank, but the message would cause the Mail app to crash and reset. This crash allowed hackers to steal other data on the device, including photos, confidential emails, and contact information. Anything the Mail app could access was available for hackers to steal.

Avraham used the data from the crash reports on his client’s phone to figure out the method of attack. Avraham then was able to identify the vulnerability and recreate the hack. He confirmed that it still exists in iOS 12 and iOS 13.

Speaking to Reuters, other security researchers agree that the evidence presented by Avraham is credible but acknowledged that they had not recreated the results.

Apple security expert Patrick Wardle told Reuters that Avraham uncovered what researchers have long suspected “that well-resourced adversaries can remotely and silently infect fully patched iOS devices.”

Apple declined to comment on Avraham’s research when approached by Reuters, but the Cupertino company did confirm that a vulnerability exists in the Mail app on iPhones and iPads. Apple recently found out about the flaw and says it already has a fix for the vulnerability. The company plans to roll out the patch in an upcoming update that will be released globally.