According to a recent report by a cybersecurity firm based in San Francisco, Apple’s Mail app has two serious security flaws in default iOS and iPadOS mail app, the company ZecOps ran routine forensics on customer devices and found two vulnerabilities after digging further, the company has outlined the evidence of targeted attacks in a report on Wednesday.
According to the details the vulnerabilities allow attackers to run the code remotely Apple’s Mobile-mail and Mail-ID processes in iOS 12 and iOS 13 respectively. A crafted email sent to users and if it triggers properly the user’s wouldn’t know they are being hacked.
Variants of the flaw stretch back to at least iOS 6, the researchers said. Because the vulnerabilities were used to attack users before Apple could issue a patch, they’re considered zero-day attacks, which is significant because iOS zero-days are extremely rare and often quite expensive.
However, the flaws do not pose serious threat to users, but only allow them to leak, delete, and modify emails. If the attacked is combined with another kernel attack such as unpatchable Checkm8 exploit then it could allow the attacker to get root access to hack the device.
Out of two at least one of the flaws can be exploited remotely without user interaction which is known as zero-click attack according to the report. ZecOps explains that the second vulnerability was merely discovered while analyzing the zero-click vulnerability. It is strange that the latest version is more vulnerable than the previous one, iOS 13 is vulnerable with zero-click while iOS 12 flaw requires users interaction with the email such as tap on the email.
Upon further investigation, ZecOps learned that number of users were targeted with this flaw including the employees of Fortune 500 company in North America, a journalist in Europe, and a VIP in Germany. It was also discovered that the emails were deleted by the attackers in order to cover their footprints.
While, researchers who talked to Motherboard told that the flaw was relatively unpolished as compared to other attacks, meaning that high profile attackers would probably class it too risky to use against “high-value targets.”
Now ZecOps believes that exploits are likely to increase since they’re now publicly disclosed. The researchers said that hackers will try to “attack as many devices as possible,” which means that users that are not tech-savvy could end up targeted. That becomes more dangerous if the exploits were leveraged by cybercriminals with access to additional vulnerabilities.
It is advised by the ZecOps not to use the native Mail app on the iPhone until the patch is released, the attack can only be initiated on the default mail app and not the third-party mail apps.
According to ZecOps, the company has already informed Apple about the vulnerabilities two months ago. Both of the flaws have since been patched in the latest beta releases of iOS 13, and a fix is set to arrive in the next publicly available iOS update in iOS and iPadOS 13.4.5