Hacking has always been a part of the internet as long as one can remember. Most recently, it was revealed that hackers were buying and selling more than 500k Zoom accounts in the Dark Web. And there are plenty of other examples.
But the latest security research claims that Apple’s iOS Mail app has a severe security flaw. And it easily enables hackers to hack any iPhones.
ZecOps Research Team finds a severe flaw in the iPhone’s Mail App that existed for years.
According to cybersecurity firm ZecOps, after a routine iOS Digital Forensics and Incident Response investigation, they’ve found a few suspicious events in Apple’s default Mail app.
After analyzing the events, they found that these events date as far back as January 2018. And discovered that this exploitable vulnerability affects both iPhones and iPads.
ZecOps details that the vulnerability affects even the latest iOS update, i.e., iOS 13. And it claims that they found two kinds of vulnerabilities; one is unassisted, or zero-click attack and the other is a one-click attack.
The zero-click attack works when the Mail app is opened in the background. It mostly affects the Mail app iOS 13 devices and doesn’t even require any action to work. The one-click attack, on the other hand, requires a click on the email. And it mostly affects the iOS MobileMail app on iOS 12 devices.
How Does this Vulnerability Work?
ZecOps claim that this vulnerability exists, at least since iOS 6 was first introduced back in 2012. And the earliest triggers they’ve observed in the wild was on iOS 11.2.2 device.
The user receives a specially crafted email in the mailbox from an anonymous sender.
So, when a user simply opens the Mail application on their iPhone, the unassisted attack is triggered. Or, just a click on the email is all it takes even before rendering the content.
The zero-click attack can also work on iOS 12 devices if the attacker has a hold of the user’s mail server.
According to the cybersecurity firm, at least six eminent targets have become the victims of the act. It includes MSSPs from Israel and Saudi Arabia, “individuals from a Fortune 500 organization, and a European journalist.
Is it Legitimate?
While ZecOps is confident in its research team and their findings, still people are questioning its legitimacy.
A researcher for Google’s Project Zero cybersecurity project, Jann Horn, tweets his reaction questioning the validity of the claim.
@ZecOps your writeup says "The suspicious events included strings commonly used by hackers (e.g. 414141…4141).", but that's also what it looks like when you just base64-encode nullbytes; and this is MIME parsing, so you're likely to see base64-encoded data
— Jann Horn (@tehjh) April 22, 2020
Nevertheless, it is still a significant threat to any iPhone or iPad user, especially when it comes to privacy. And Apple has already patched the vulnerability in the recent beta release after getting the information.
ZecOps also reports that Apple is working to fix the problem in the non-beta version. And they expect it to arrive in an iOS update in the coming weeks.
To tackle the issue, ZecOps suggests users update to the latest beta version available. And if not possible, you can disable the default Mail app and use other applications like Gmail.