Apple Confirms 0-Day iPhone Mail App Security Exploit, Denies That Customers Were In Danger

iPhone 11 pro
Earlier this week, it was reported that a zero-day exploit has been running in the wild that targets the iOS Mail app. First discovered by the researchers at ZecOps, the vulnerability has been labeled as "zero-click" because it allegedly needs no intervention from the user to attack an iPhone or iPad running even the most recent versions of iOS 13.

A total of two vulnerabilities were found by ZecOps, which included the possibility for remote code execution. Now, Apple is responding, and it is trying to throw some cold water on the severity of these exploits. The company released the following statement to news organizations on Friday:

Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher's report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.

According to ZecOps, the vulnerabilities that it found affect devices running iOS 6 through iOS 13.4.1. However, the security firm claims that the vulnerabilities weren't actively exploited until January 2018, once iOS 11.2.2 was released.

zecops mail

But according to Apple's above statement, it claims that no customers were put in danger by the vulnerabilities, which seems to contradict ZecOps' rather detailed findings. In fact, ZecOps claims that suspected targets included:

  • Individuals from a Fortune 500 organization in North America
  • An executive from a carrier in Japan 
  • A VIP from Germany
  • MSSPs from Saudi Arabia and Israel
  • A Journalist in Europe
  • Suspected: An executive from a Swiss enterprise

No matter who's right or wrong in this case, Apple says that it is working on a software update that will address these outstanding issues. More specifically, it's suspected that the holes will be closed with the iOS 13.4.5 that is currently in beta.