Apple is known for its stringent review of apps on its App Store and most presume that it applies that same scrutiny to its own first-party apps. Even if that were the case, however, there will also be times when a bug or a security vulnerability gets through its critical eyes. Sometimes, those bugs can have very serious consequences, like this rather frightening bug in the iOS Mail app that can give hackers access to an iPhone even without the user even opening the email.
Mobile forensics company ZecOps reported what it called a “zero-click” vulnerability in Apple’s Mail mobile app that it believes has already been exploited in the wild. Fortunately, it doesn’t think it has been used in any mass iPhone hacking attempts but it may have been successfully used in target attacks on specific and unnamed individuals.
Unlike most vulnerabilities that would require users to at least open an email, the zero-click attack requires no user interaction at all. It works by sending a very large email that causes an overflow, giving hackers remote access to the device. The hackers can then delete the offending email from the service provider’s servers and remove any trace of its activity after the fact.
One weakness of this flaw is that some email providers block such large emails but it was still successfully used in targeting at least six individuals. Making matters, ZecOps believes that bug has been in existence since 2018.
ZecOps responsibly disclosed the vulnerability to Apple in February, giving the company time to make a patch to plug up that hole. That patch, however, won’t be coming until iOS 13.4.5, which isn’t expected to roll out until after a few weeks. Until then, Apple Mail users might want to temporarily switch to another email client for the time being, especially now that hackers might be scrambling to take advantage of the exploit before the doors get closed.