Apple’s built-in iPhone mail app has reportedly been found with critical security flaws. If exploited, security researchers from ZecOps say attackers could potentially manipulate emails, modify data, and read through the information within.
Mobile security firm ZecOps Research and Threat Intelligence found the bug in the system around February 19, 2020, which the firm immediately notified Apple. As further proof of the mail app flaw, ZecOps sent Apple the proof of concept reproduction of an out-of-bounds write vulnerability.
According to the report published by the mobile security firm, the tech giant had no previous knowledge about the said incident.
To exploit the bug, attackers would send what would appear as a blank message to the Apple user, says BBC. When opened, the said vulnerability would lead the email application to crash, thus forcing the Apple user to restart their device. Upon rebooting, attackers would mine sensitive information.
The bug was supposedly exploited at the expense of six high-profile victims, notes BBC. Per the published ZecOps report, among the six suspected targets include individuals from a Fortune 500 firm in North America, a VIP from Germany, a European journalist, and a Japan airline carrier’s executive.
A managed security service provider (MSSP) from Israel and Saudi Arabia, as well as a suspected executive from a Swiss company, was also vulnerable from the said security flaw.
Because of these events, ZecOps said that they “surmise with high confidence that these vulnerabilities – in particular, the remote heap overflow – are widely exploited in the wild in targeted attacks by an advanced threat operator(s).”
Moreover, the research team believes that the attacks and vulnerabilities to the Apple mail program were carried out by “at least one nation-state threat operator.” Despite these claims, The Guardian maintains that the firm failed to name this country.
Although the security research team approached Apple regarding the said vulnerabilities, the tech giant was quick to dismiss the said flaws, notes The Verge.
In a statement, Apple said they “have thoroughly investigated the researcher’s report, and based on the information provided, have concluded these issues do not pose an immediate risk to our users… alone they are insufficient to bypass iPhone and iPad security protections.”
In addition, Apple also said they have yet to find claims nor proof that the mail app bug was used against its customers.
To address the said issues, The Guardian reports the tech giant will roll out a new update complete with patches in the next iOS version, namely that of version 13.4.5.
