iPhone's Mail app has two severe "zero-click" vulnerabilities that have existed for 8...

nanoguy

Posts: 656   +11
Staff member

Apple's iOS 13 has received several bug fixing updates in its six month lifespan so far, among the most notable: a patch that addressed killing of background apps, another that drained your battery for no apparent reason, one that prevented from using the camera, or track your precise location even if you had expressly disabled that in settings. These new vulnerabilities however sound considerably more serious.

Two security flaws have been found on the default Mail app that comes pre-installed on all iPhones and iPads. According to a report from security research group ZecOps, several high-profile people have been targeted by hackers since January 2018, including an executive from a telecom company in Japan, a European journalist, an executive from a Swiss enterprise, and individuals from an unnamed Fortune 500 company.

The severity of the two flaws is highlighted by the fact that unlike most email-based attacks -- which typically require the user to click a link and visit a website -- this flaw makes it possible for hackers to take over your phone by simply opening the Mail app and displaying a specially-crafted malicious email. This is referred to as a "zero-click vulnerability."

Researchers note that the attacks exhibit many of the particularities observed in other operations of a certain state-sponsored hacker group, but they didn't want to give a name. But more importantly, the two vulnerabilities have been confirmed to date as far back as iOS 6, which was released in 2012.

For a regular user, the most they'd notice is a little sluggishness in navigating the Mail app, or, as you can see in the image above, emails that appear to have no content and can't be displayed. In more rare instances, the Mail app would crash after trying to access your inbox.

ZacOps alerted Apple about the two vulnerabilities in February, but a fix is only available in the iOS 13.4.5 beta for the time being, which means you'll have to wait until Apple releases it to the general public.

On the other hand, you can always use an alternative email app like Outlook or Gmail. You may also want to disable your Mail app for now, by going to Settings -> Passwords & Accounts and disable the Mail toggle under each email account you are using.

Permalink to story.

 

Fearghast

Posts: 293   +191
TBH considering the user experience with this default app, I never found use for it ... well other than to irritate me. Other mail apps are so much better.
 

Shadowboxer

Posts: 1,146   +756
Why is this news? Are vulnerabilities really that rare on iOS that whenever one is discovered it prompts journalists to write about it?

Android on the other hand has hundreds of known vulnerabilities. Google have been promising to address them for years. I guess they probably squash one then another 5 show up.