Apple Denies iPhone Mail Flaw Has Been Used In The Wild

Apple has responded more fully to the claim by San Francisco-based security researchers ZecOps concerning flaws in its Mail app.

It disputes the firm’s findings that the flaws have been used in at least “six high profile” cases, and it said that it believes the flaws do “not pose an immediate risk to our users”.

ZecOps on Wednesday had disclosed the discovery of two previously unknown Mail vulnerabilities found in iPhones and iPads that, if exploited, could allegedly allow attackers to remotely access, modify or delete user emails.

Six attacks

The allegation is very serious, as the researchers said the flaw had been exploited at least six times for high-profile victims by nation state hackers, and Apple had unaware of the flaw for years.

Indeed, ZecOps said that the vulnerabilities “exist at least since iOS 6 – (issue date: September 2012) – when iPhone 5 was released,” although it only “found a number of suspicious events that affecting the default Mail application on iOS dating as far back as Jan 2018.”

ZecOps said that suspected victims included individuals from a Fortune 500 organisation in North America; an executive from a carrier in Japan; a VIP from Germany; a journalist in Europe, an executive with a Swiss company, and finally staff of tech firms in Saudi Arabia and Israel.

It should be noted that users do not need to download any external software or visit a bobby-trapped website that contains malicious software (i.e malware) in order to become a victim of these flaws.

According to ZecOps, the flaws centre on attackers sending a specially crafted blank email through the Mail app, which forces a crash and reset of the Apple device.

The crash then opens the door for hackers to steal other data on the device, such as photos and contact details, or even confidential messages.

Apple has been notified in March of the problem, and on Wednesday it promised a fix in upcoming updates.

No immediate risk

But on Thursday the iPad maker disputed ZecOps claim that the flaw has been exploited in the wild.

Indeed, Apple on the whole denied the severity of the situation in a statement to Bloomberg’s Mark Gurman, who subsequently shared the company’s official response in a tweet.

“Apple take all reports of security threats seriously,” Apple was quoted as saying. “We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users.”

“The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers,” it added.

“These potential issues will be addressed in a software update soon,” said Apple. “We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.”

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

BT Identifies 2,000 Potential Cyberattacks Signals Every Second

Level of cyberthreats revealed, after BT says it spots 2,000 signals of potential cyberattacks every…

2 days ago

CMA Cites Higher Prices Post Vodafone, Three Merger, Demands Changes

The British competition regulator has provisionally found competition concerns over Vodafone’s planned merger with Three…

2 days ago

Microsoft Cuts Hundreds Of Gaming Staff

Post Activision - Microsoft Gaming confirms it will axe 650 employees, after thousands of job…

2 days ago

SpaceX Polaris Dawn Crew Carry Out First Commercial Spacewalk

Billionaire Jared Isaacman and SpaceX’s Sarah Gillis become first non-professional astronauts to carry out risky…

3 days ago

Government To Classify UK Data Centres As Critical Infrastructure

Data centres in the UK are to designated as Critical National Infrastructure (CNI), alongside energy…

3 days ago

Irish Watchdog Launches Inquiry Into Google AI Model

Google's protection of EU users' personal data when training its AI model, is under investigation…

3 days ago