The vulnerability was discovered by ZecOps, a mobile security forensics firm. The flaw is believed to have been unpatched in since 2012.
Apple is finally set to patch two major security flaws in the default iOS and iPadOS Mail app which could have millions of devices vulnerable for over 8 years. The vulnerability was first introduced via iOS 6 and could have since been exploited by attackers repeatedly.
The vulnerability was discovered by ZecOps, a San Francisco-based mobile security forensics firm while it was investigating a sophisticated cyberattack against a client that took place in late 2019.
At the time, Zuk Avraham, ZecOps’ chief executive, claimed that the vulnerability was exploited in at least six cybersecurity breaches that allowed hackers to gain access to devices of high-profile targets. The exploit, ZecOps explains, is triggered by sending a rigged email that may or may not require and interaction at all, while in other cases may only require the user to open the email.
Once triggered, the email then runs code in the context of the default mail apps, which make it possible to read, modify, or delete messages. The security firm also suspects the attackers combine the zero-day vulnerability with a separate exploit to give full control over the device. As explained above, the vulnerability can be triggered remotely without any user interaction — an attack known as a zero-click.
In a separate report published by Reuters, the publication got two independent security researchers to review ZecOps’ claims. The researchers too found the evidence credible but said they had not yet fully recreated its findings.
In its report, ZecOps claims that a number of its customers were targeted, including employees at a Fortune 500 company in North America, with a journalist in Europe and a VIP in Germany also having been targeted using this exploit.
But what’s concerning is that since Apple wasn’t aware of the vulnerability until recently, the flaw could have been exploited by hackers and even security agencies across the globe to snoop on unsuspecting users who had no idea that their data was being stolen in the first place.
ZecOps says it alerted Apple to the vulnerabilities in February. Both of the flaws have since been patched in the latest beta releases of iOS 13, and a fix is set to arrive in the next publicly available iOS update in iOS and iPadOS 13.4.5.