Major security flaw found in Apple's iPhones, iPads; hackers can now exploit bug in Mail app

ZecOps claims the vulnerability allowed hackers to remotely steal data off iPhones.

Agencies
An Apple spokesman acknowledged that a vulnerability exists in Apple’s software for email on iPhones and iPads.
Apple Inc is planning to fix a flaw that a security firm said may have left more than half a billion iPhones vulnerable to hackers.

The bug, which also exists on iPads, was discovered by ZecOps, a San Francisco-based mobile security forensics company, while it was investigating a sophisticated cyberattack against a client that took place in late 2019. Zuk Avraham, ZecOps' chief executive, said he found evidence the vulnerability was exploited in at least six cybersecurity break-ins.

An Apple spokesman acknowledged that a vulnerability exists in Apple’s software for email on iPhones and iPads, known as the Mail app, and that the company had developed a fix, which will be rolled out in a forthcoming update on millions of devices it has sold globally.


Apple declined to comment on Avraham’s research, which was published on Wednesday, that suggests the flaw could be triggered from afar and that it had already been exploited by hackers against high-profile users.

Avraham said he found evidence that a malicious program was taking advantage of the vulnerability in Apple’s iOS mobile operating system as far back as January 2018. He could not determine who the hackers were and Reuters was unable to independently verify his claim.

To execute the hack, Avraham said victims would be sent an apparently blank email message through the Mail app forcing a crash and reset. The crash opened the door for hackers to steal other data on the device, such as photos and contact details.
ADVERTISEMENT

ZecOps claims the vulnerability allowed hackers to remotely steal data off iPhones even if they were running recent versions of iOS. By itself, the flaw could have given access to whatever the Mail app had access to, including confidential messages.

Avraham, a former Israeli Defense Force security researcher, said he suspected that the hacking technique was part of a chain of malicious programs, the rest undiscovered, which could have given an attacker full remote access. Apple declined to comment on that prospect.

ZecOps found the Mail app hacking technique was used against a client last year. Avraham described the targeted client as a “Fortune 500 North American technology company,” but declined to name it. They also found evidence of related attacks against employees of five other companies in Japan, Germany, Saudi Arabia, and Israel.

Avraham based most of his conclusions on data from “crash reports,” which are generated when programs fail in mid-task on a device. He was then able to recreate a technique that caused the controlled crashes.
ADVERTISEMENT

Two independent security researchers who reviewed ZecOps’ discovery found the evidence credible, but said they had not yet fully recreated its findings.

Patrick Wardle, an Apple security expert and former researcher for the U.S. National Security Agency, said the discovery “confirms what has always been somewhat of a rather badly kept secret: that well-resourced adversaries can remotely and silently infect fully patched iOS devices.”
ADVERTISEMENT

Because Apple was not aware of the software bug until recently, it could have been very valuable to governments and contractors offering hacking services. Exploit programs that work without warning against an up-to-date phone can be worth more than $1 million.

While Apple is largely viewed within the cybersecurity industry as having a high standard for digital security, any successful hacking technique against the iPhone could affect millions due to the device’s global popularity. In 2019, Apple said there were about 900 million iPhones in active use.

Bill Marczak, a security researcher with Citizen Lab, a Canada-based academic security research group, called the vulnerability discovery “scary.”

“A lot of times, you can take comfort from the fact that hacking is preventable,” said Marczak. “With this bug, it doesn’t matter if you’ve got a PhD in cybersecurity, this will eat your lunch.”

A Sigh Of Relief: Apple iOS 13.3 Released, Reportedly Fixes The Most ‘Annoying’ Bugs
1/6

Back when Apple announced iOS 13 at the last WWDC (Worldwide Developers Conference), probably no Apple user had expected so many bugs and issues to creep into their phones. Apple delivered most of the features it had promised with iOS 13.2 which was rolled out on October 30.

However, to fix the problems that users are facing, Apple has released iOS 13.3 to those who had signed up for beta testing. Reportedly, iOS 13.3 has fixed quite a few bugs, including the one which is being dubbed as the most ‘annoying’ problem till date.

Back when Apple announced iOS 13 at the last WWDC (Worldwide Developers Conference), probably no Apple user had expected so many bugs and issues to creep into their phones. Apple delivered most of ..
Read More

A large number of users had raised issues with iOS 13 because the apps were apparently refreshing on their own which lead to users losing data. iPhones were automatically refreshing the apps which were previously accessed, a problem which users didn’t face with the previous versions of iOS.

“I was watching a video on YouTube [sic] on my iPhone 11 Pro I pause the video to respond to a text message. I was in iMessage for less than one minute. When I returned to YouTube it reloaded the app and I lost the video I was watching,” stated one of the forum members called Rogifan

After iOS 13.3 release, one of the beta testers took to Twitter to share that Apple had reportedly fixed the issue. He said that he had 32 apps open on his iPhone 11 Pro Max and none of them refreshed.

A large number of users had raised issues with iOS 13 because the apps were apparently refreshing on their own which lead to users losing data. iPhones were automatically refreshing the apps which we..
Read More

iOS 13.3 comes with a new feature called ‘Communication Limits’. The iPhone will now have an app called Screen Time which allows users to limit texting, calling and FaceTime for their children.

Additionally, parents can also limit the usage time for different apps on the phone such as FaceTime, Phone app and Messages.

Previously, Screen Time could not block specific contacts but it has been fixed now. What’s more? Parents can also set limits on call duration depending upon whom their children are talking to.

iOS 13.3 comes with a new feature called ‘Communication Limits’. The iPhone will now have an app called Screen Time which allows users to limit texting, calling and FaceTime for their children.Additi..
Read More

iOS 13.3 also comes with another minor update. It allows users to control when they want to see Memojis and Animojis.

In Settings > General > Keyboard, you can now turn off Animoji and Memoji Stickers from being displayed on the emoji keyboard.

For the uninitiated, Animojis are 3D, animated emojis that transform familiar emojis to animated messages. Memojis, on the other hand, are personalised Animojis, akin to Snapchat’s Bitomji, that look exactly like the user.

iOS 13.3 also comes with another minor update. It allows users to control when they want to see Memojis and Animojis.In Settings > General > Keyboard, you can now turn off Animoji and Memoji Stickers..
Read More

It seems like a good time to own an iPhone because almost all the problems that users have been facing are now being resolved. Twitter, too, has released an iOS bug fix that stops the timeline from auto-scrolling.

If the Twitter app has been acting up on your iPhone lately, you are not alone. The frustrating auto-scroll issue in iOS has been fixed by the good folks at Twitter with the latest 8.1.5 version of Twitter on the Apple App Store.

It seems like a good time to own an iPhone because almost all the problems that users have been facing are now being resolved. Twitter, too, has released an iOS bug fix that stops the timeline from a..
Read More

To get iOS 13.3, go to beta.apple.com and sign up for beta. Then, go to Settings > General > Profile to select the beta profile.

Once you’ve done that, you’ll download beta updates just like regular iOS updates: by heading to Settings > General > Software Update

To get iOS 13.3, go to beta.apple.com and sign up for beta. Then, go to Settings > General > Profile to select the beta profile.Once you’ve done that, you’ll download beta updates just like regular ..
Read More
Download
The Economic Times Business News App
for the Latest News in Business, Sensex, Stock Market Updates & More.
READ MORE
ADVERTISEMENT

READ MORE:

LOGIN & CLAIM

50 TIMESPOINTS

More from our Partners

Loading next story
Text Size:AAA
Success
This article has been saved

*

+