Flaw in iPhones, iPads may have allowed hackers to steal data for years

A software flaw which exists on iPhone, iPad, and iPod touch devices using Apple’s Mail app — discovered by ZecOps, a San Francisco-based mobile security forensics company — may have left more than half a billion iPhones vulnerable to hackers.

Christopher Bing and Joseph Menn for Reuters:

iOS email exploitZuk Avraham, ZecOps’ chief executive, said he found evidence the vulnerability was exploited in at least six cybersecurity break-ins.

An Apple spokesman acknowledged that a vulnerability exists in Apple’s software for email on iPhones and iPads, known as the Mail app, and that the company had developed a fix, which will be rolled out in a forthcoming update on millions of devices it has sold globally.

Apple declined to comment on Avraham’s research, which was published on Wednesday, that suggests the flaw could be triggered from afar and that it had already been exploited by hackers against high-profile users.

To execute the hack, Avraham said victims would be sent an apparently blank email message through the Mail app forcing a crash and reset. The crash opened the door for hackers to steal other data on the device, such as photos and contact details.

ZecOps claims the vulnerability allowed hackers to remotely steal data off iPhones even if they were running recent versions of iOS. By itself, the flaw could have given access to whatever the Mail app had access to, including confidential messages.

ZecOps found the Mail app hacking technique was used against a client last year. Avraham described the targeted client as a “Fortune 500 North American technology company,” but declined to name it. They also found evidence of related attacks against employees of five other companies in Japan, Germany, Saudi Arabia, and Israel.

MacDailyNews Take: Due to this nasty flaw, stop using Mail on your iPhone, iPad, and/or iPod touch for now and as soon as iOS 13.4.5 and iPadOS 13.4.5 become available, update your devices!

Read more about this issue via ZecOps here.

[Thanks to MacDailyNews Reader “Fred Mertz” for the heads up.]


  1. https://krebsonsecurity.com/2020/04/war-dialing-tool-exposes-zooms-password-problems/

    While this link refers to Zoom meeting security, I think it also applies here. I share the sentiment from the quote below. News articles that sensationalize a security flaw can convey the impression that the product should be thrown away, never to be used again. These articles lack context and make for effective click-bait, but provide no information that you can act on:

    From the article:

    “What we have here is a company that is relatively easy to use for the masses (comes with its challenges on personal meeting IDs) and is relatively secure,” Kennedy wrote. “Yet the industry is making it out to be ‘this is malware’ and you can’t use this. This is extreme. We need to look at the risk specific applications pose and help voice a message of how people can leverage technology and be safe. Dropping zero-days to the media hurts our credibility, sensationalizes fear, and hurts others.”

    “If there are ways for a company to improve, we should notify them and if they don’t fix their issues, we should call them out,” he continued. “We should not be putting fear into everyone, and leveraging the media as a method to create that fear.”

  2. Hold everyone’s horses here! It’s not what ZecOPs is claiming. Read the article and their website for real data on what they’ve actually claim, not the hype!

    Nowhere does Avraham say he’s in possession of an “in-th-wild” weaponized email that’s actually been used to crash and raid data from an iOS device! He’s reporting that he’s found a vulnerability which could be used to do that.

    He specifically states that he’s discovered by analyzing crash reports!

    Avraham based most of his conclusions on data from “crash reports,” which are generated when programs fail in mid-task on a device. He was then able to recreate a technique that caused the controlled crashes.

    Two independent security researchers who reviewed ZecOps’ discovery found the evidence credible, but said they had not yet fully recreated its findings.

    It has NOT been duplicated in peer review, and he doesn’t have a real “exploit” but a theoretical vulnerability that could have been used the way he claims, but no evidence it has been. He then makes the illogical leap that his mythical, magical hackers can also install more code to hijack the entire iOS device once this vulnerability has crashed it and forced a restart. Say what?! No way!

    ZecOp has a throw-away line in their report that states that the attacker “could” exploit this vulnerability only if the attacker controlled the email server. Say what???!!! That’s an important prerequisite, but they just toss it out there as if it were of no, or minimal, consequence!

    This tells me that attacking vector has to be injected immediately prior to being sent to the target device, that it most likely cannot survive passage through multiple ISPs, where it would either crash the servers or be stripped out due to being detected as being an impermissible data overflow by validation checks. In other words, this is only exploitable as a targeted attack from someone who has first hijacked the target’s email server. If so, that attack target already has a much more severe problem than an attack on their personal portable devices.

    To me, it seems obvious that Apple does not consider this an exploitable vulnerability requiring a stand alone security update for all versions of iOS since iOS 11.3. It’s not, given the parameters you can read between in the reports. It’s a minor glitch easily handled in a major update when it’s due to be released. ZecOp did not like that time line so they jumped the gun and made a press release to get credit beyond what is earned for minor vulnerabilities. This is not ZecOP’s first foray with this approach to getting attention.

    Apple just released iOS 13.4.1 for the SE and did not include a fix they supposedly have for this vulnerability in that update. That tells me it’s not exploitable.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.