A cyber-security company ZecOps has discovered and notified Apple of security vulnerabilities in iOS Mail app on iPhone and iPad. Because of these vulnerabilities, user’s email data can potentially be stolen by sending malicious emails to gain access to the system. ZecOps also reported that the vulnerability has been exploited publicly. However, addressing the issue, Apple claimed that the security vulnerability is not harmful and a patch will be released soon.
iOS vulnerability can be triggered by dubious emails
During a routine incident response investigation and iOS digital forensics, ZecOps noticed suspicious activity affecting the Mail app which lead to the discovery of the vulnerability on iPhone and iPad. ZecOps explains that by sending emails which occupy memory space with remote code execution capabilities, the vulnerability allows attackers to gain control of iOS and iPadOS devices to access user’s email data, which can be leaked, altered or deleted.
A successful attack does not leave any obvious identification signs, so users do not notice any anomalies. Test attacks on iOS 12 revealed that the mail app suddenly crashes, and on iOS 13, the app temporarily slows down. In case of both, successful and unsuccessful attacks, users remain unaware of the attempts which is a major security risk. However, the email content of a failed attempt reads ‘this message has no content’.
Interestingly, the investigation found that the malicious emails that were sent were missing from the devices’ mail servers which store all received emails after processing them. It is presumed that those emails might have been deleted to not leave any identification trail.
All the triggers are in the wild to exploit the vulnerability currently present in iOS 6 and later, including the latest iOS 13.4 version.
Targeted victims are executives and enterprises
San Francisco based ZecOps believes that the attacks are initiated by ‘made to hire hackers’ who steal information for industry rivals or other miscreants. The potential victims of these data poachers are VPs, CEOs, state heads. and others at high positions.
The suspected targets so far include:
- Individuals from a Fortune 500 organization in North America
- An executive from a carrier in Japan
- A VIP from Germany
- MSSPs from Saudi Arabia and Israel
- A Journalist in Europe
- Suspected: An executive from a Swiss enterprise
Given the appropriate attention required for this issue, Apple released a fix for these vulnerabilities in iOS 13.4.5 beta and will make the update public soon. We are also expecting updates to iOS 11 and earlier versions to resolve the issue in older iOS devices.
“Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.”
Until the fix is publicly released, users are advised to disable the Mail app on iPhone and iPad and use a third-party mail app.