Apple iPhone Mail App Zero-Day Security Exploit Potentially Exposed Private Data Of Millions
According to a blog that ZecOps researchers posted today, the vulnerability is "widely exploited" and has primarily targeted "VIPs, executive management across multiple industries, individuals from Fortune 2000 companies" around the globe.
The exploit requires absolutely no user-intervention in iOS 13, and can be perpetrated by an email sent to a target while the Mail app is simply running in the background. Since the user doesn't have to click an email link, or even have the Mail app running in the foreground, it's being called a "zero-click" attack. Apple's latest iOS 13.4.1 is reportedly susceptible, as are all previous versions of the mobile operating system dating back to iOS 6. However, it appears that hat in-the-wild attacks weren't "triggered" until iOS 11.2.2 in January 2018.
An attacker can use this method to perform remote code execution on an iPhone/iPad by sending emails that will cause a memory crash. What's even more interesting is that the researchers indicate that the vulnerability "can be triggered before the entire email is downloaded, hence the email content won’t necessarily remain on the device."
The rather unsettling aspect about this vulnerability is that ZecOps claims that it has evidence that it has been actively exploited in the wild for at least two years. And although it's little consolation to businesses that have already been hit, Apple has reportedly fixed the vulnerability with the most recent iOS 13.4.5 beta which is currently in the hands of developers ahead of a public release.