A new potentially serious software vulnerability has been discovered in iOS 13 that works via the default Mail app on iPhone and iPad. The security group ZecOps (via Motherboard) says that one of the two vulnerabilities is a zero-click exploit (no user interaction needed) that can be performed remotely.
ZecOps detailed its findings in a blog post and the most serious vulnerability of the two affects even the latest iOS 13 public release (iOS 12 too). However, Apple has patched the flaws in the most recent iOS 13.4.5 beta that should be released to the public soon.
The zero-click exploit works through the default iOS Mail app and is potentially dangerous as a user doesn’t need to tap or click anything to have their device compromised:
ZecOps says that it has discovered evidence of the attacks being used in the wild and believes them to be be “widely exploited.”
The report details that it appears the nefarious emails sent are then deleted by the hackers after using them to access targets’ devices.
One weakness in the flaw is that it requires a relatively large email, which may be blocked in some cases. The founder of ZecOps, Zuk Avraham noted that the exploit doesn’t apply to Gmail or Outlook iOS apps but it’s not clear if Gmail opened through the Apple Mail app are also vulnerable.
As noted by Motherboard, ZecOps hasn’t found evidence of the exploits being used for mass attacks but rather targeted ones. But if you are concerned about the potential security and privacy issue, you can use another email app until iOS 13.4.5 is publicly released.
For all the fine details on these exploits, read the full post by ZecOps here.