“No evidence” that iPhone flaw was used against customers, says Apple

News by Rene Millman

Apple denies that a flaw in its email app leaves half a billion users vulnerable to hackers

Apple has hit back at claims that a flaw in its iPhone and iPad mail app could leave devices vulnerable to hackers.

The alleged flaw in iPhones and iPads may have allowed hackers to steal data from over half a billion devices for years, possibly even since January 2018. The vulnerability, discovered by San Francisco-based ZecOps, allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume significant amount of memory, according to the security firm.

According to the researchers, these vulnerabilities are widely exploited in the wild in targeted attacks by an advanced threat operator(s) to target VIPs, executive management across multiple industries, individuals from Fortune 2000 companies, as well as smaller organisations.

An Apple spokesman acknowledged that a vulnerability exists in Apple’s software for email on iPhones and iPads, known as the Mail app, and that the company had developed a fix, which will be rolled out in a forthcoming update on millions of devices it has sold globally.

In a statement to media, Apple said that it had thoroughly investigated the researcher's report and “based on the information provided, have concluded these issues do not pose an immediate risk to our users.”

"The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers,” the firm added.

Jake Moore, cyber-security specialist at ESET, told SC Media UK that when extremely unique attacks like this surface, it can be hugely worrying for the users as well as the brand.

“Apple pride themselves on their security – and often mention that its onboard protection is sufficient. However, when exceptional hacks like this emerge, which have been immune for years, it is somewhat disconcerting at how easy it seems to have been to remotely exfiltrate private data from Apple devices,” he said.

“For complete remote access to occur under-the-radar, this flaw will most likely have been exploited for highly targeted attacks on high profile victims. Although this is a very professionally designed secret hack, it is unlikely that it was used en-masse. Some flaws are kept even further underground amongst cyber-criminals, who keep certain exclusive vulnerabilities to themselves, so that law enforcement and developers are kept in the dark – hence this particular defect has not been spotted for years.”

Chris Boyd, lead malware intelligence analyst at Malwarebytes, told SC media Uk that any attack where device owner interaction isn't required in terms of falling for social engineering tricks, is always bad news.

“What’s important when these attacks happen is how a vendor responds to the vulnerability and so it's good to see Apple making moves to fix this. It appears the attacks may have been restricted to very specific targets, so although it sounds bad, regular iPhone users likely don't have too much to fear from this,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews