iPhones's bug leaves users vulnerable to hackers stealing email contents

Fault in built-in Mail app could allow attackers to read, modify or delete emails, say experts. A newly discovered bug in the built-in Mail app for iPhones could allow an attacker to read, modify and delete emails, researchers say. Apple says it will patch the vulnerability in the next version of iOS, 13.4.5, and that users of the beta software are already protected. But until that update is made available to the general public, every other iPhone user is vulnerable to the attack, which can be used to steal the contents of emails. Click "Read More" to understand.

The bug is particularly severe for a number of reasons, according to the security company ZecOps, which published details of its findings this week. There is no public fix for the flaw, which affects every version of iOS from 6 upwards; it can be exploited on the latest version of iOS without any user interaction; and it has already been discovered in use by real-world attackers, dating back to January 2018.

Until the vulnerability is patched, ZecOps recommends that users consider disabling the Mail application and use Outlook or Gmail instead. The attack works by sending specially crafted emails that flood the memory of a device, allowing the attacker to break out of the protection that Apple normally puts in place to prevent Mail accidentally running malicious code.

It contains enough limitations to prevent it being widely exploited, according to Jake Moore, a cybersecurity specialist at the internet security firm Eset. Each email would need to be specifically crafted for a single target, rather than a “mass hack” affecting thousands of people, he said.

For those who might be deliberately targeted by hackers, however, the risk is not merely theoretical. By examining its logs of email traffic, the security researchers say they have found at least six instances when they believe the bug was actively exploited, with targets including a European journalist, a German “VIP” and individuals from a “Fortune 500 organisation in North America”.

Because the attacker gains the ability to delete emails, they can also delete the email they sent to trigger the exploit in the first place, thus effectively covering their tracks.

ZecOps said it believed the attacks were carried out by “at least one nation-state threat operator”, but declined to identify any country. Apple declined to comment.