According to a report published Wednesday by San Francisco-based firm ZecOps, security researchers say the iPhone has a significant flaw in the native iOS Mail app that makes it vulnerable to hackers.
Apple had not previously revealed the bug, making it highly useful to a number of bad actors. ZecOps says it assumes "with high confidence that these vulnerabilities... are widely exploited in the wild in targeted attacks by an advanced threat operator(s)."
ZecOps claims at least six high-profile targets have been victims of the hack, including an executive from a Japanese mobile carrier and "individuals from a Fortune 500 company in North America." ZecOps refuses to identify the victims for privacy purposes and it claims that it was unable to access the malicious code because it is believed that the hackers remotely deleted the email messages.
“The attack’s scope consists of sending a specially crafted email to a victim’s mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13,” reads the report. ZecOps says the vulnerability that underlies at least two zero-day iOS-related exploits has existed in the Mail app since at least iOS 6 launched in 2012.
However, at this point it does not appear that ZecOps has public proof of the exploits it feels confident sharing, causing some security researchers to doubt the claim's validity.
Regardless, in principle what makes this specific exploit so dangerous is that it does not demand the user to download a file or visit a website infested with malware. Instead, all it takes to execute code remotely on the iOS device of a victim is for the mail app to receive the email, and for the victim to open the message.
ZecOps claims that after being altered to suspicious crashes last summer on customers' iPhones, it replicated the hack's results in its lab. It then disclosed the exploits to Apple last month, which ZecOps says has already fixed the vulnerability in the new iOS beta update. The updates for the non-beta version of iOS are scheduled to arrive in an update to all users in the coming weeks. Apple has declined to comment on the results.