Disputes claim by researcher ZecOps that the iPhone Mail flaws have been exploited at least six times against high-profile victims
Apple has responded more fully to the claim by San Francisco-based security researchers ZecOps concerning flaws in its Mail app.
It disputes the firm’s findings that the flaws have been used in at least “six high profile” cases, and it said that it believes the flaws do “not pose an immediate risk to our users”.
ZecOps on Wednesday had disclosed the discovery of two previously unknown Mail vulnerabilities found in iPhones and iPads that, if exploited, could allegedly allow attackers to remotely access, modify or delete user emails.
The allegation is very serious, as the researchers said the flaw had been exploited at least six times for high-profile victims by nation state hackers, and Apple had unaware of the flaw for years.
Indeed, ZecOps said that the vulnerabilities “exist at least since iOS 6 – (issue date: September 2012) – when iPhone 5 was released,” although it only “found a number of suspicious events that affecting the default Mail application on iOS dating as far back as Jan 2018.”
ZecOps said that suspected victims included individuals from a Fortune 500 organisation in North America; an executive from a carrier in Japan; a VIP from Germany; a journalist in Europe, an executive with a Swiss company, and finally staff of tech firms in Saudi Arabia and Israel.
It should be noted that users do not need to download any external software or visit a bobby-trapped website that contains malicious software (i.e malware) in order to become a victim of these flaws.
According to ZecOps, the flaws centre on attackers sending a specially crafted blank email through the Mail app, which forces a crash and reset of the Apple device.
The crash then opens the door for hackers to steal other data on the device, such as photos and contact details, or even confidential messages.
Apple has been notified in March of the problem, and on Wednesday it promised a fix in upcoming updates.
No immediate risk
But on Thursday the iPad maker disputed ZecOps claim that the flaw has been exploited in the wild.
“Apple take all reports of security threats seriously,” Apple was quoted as saying. “We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users.”
“The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers,” it added.
“These potential issues will be addressed in a software update soon,” said Apple. “We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.”
Do you know all about security? Try our quiz!