A new security report claims Apple’s Mail email app for iPhone and iPad contains a flaw that makes it vulnerable to hackers. ZecOps says that “The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume significant amount of memory.”
The report also claims that the flaw has been in Mail since iOS 6 in 2012 meaning there has potentially been eight years of successful hacks, but that researchers only found evidence of an attack ‘in the wild’ in January 2018 on iOS 11.2.2.
“[W]e surmise with high confidence that these vulnerabilities … are widely exploited in the wild in targeted attacks by an advanced threat operator(s)”, says the report.
It recommends that you disable Mail and use an alternative email app such as Gmail or Outlook until the next iOS update gets to you.
The flaw in iOS 13, the latest version of iOS, can exploit a person’s account without them even opening the email, known as a zero click attack. All it requires is for Mail to be open in the background on the device and an email can allow a hacker to infect it.
In iOS 12, it is claimed that a person would have to click on the email for a similar attack to occur. ZecOps says it has recreated the attack in its labs and informed Apple of the potential bug last month.
It says Apple has already fixed the issue in a patch on the latest beta of iOS, and that a public fix will come soon in a point update to all compatible iPhones and iPads.