Report: Default Apple email app vulnerable to ‘0-click’ attacks


April 24 (UPI) — Apple’s default email app for iPhones and iPads contains a flaw that makes it vulnerable to hackers, according to a report by a San Francisco cybersecurity firm.

The report by ZecOps released Wednesday states that the Mail app — which comes standard on products that run Apple’s iOS operating system — is vulnerable to “0-click” attacks. Such email-based cyberattacks are unique in that they don’t require the victim to download a file or click an infected link.

“The attack’s scope consists of sending a specially crafted email to a victim’s mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS13,” the report states.

ZecOps said the vulnerability allows hackers to remotely execute code on victims’ devices and allows them to infect a device by sending emails that consume a significant amount of memory.

The firm added it believes attacks using the exploit has been used against six targets including individuals from a Fortune 500 company in North America, a Japanese mobile carrier and a journalist in Europe.

Victims of the exploit may notice a slowdown of the Mail application or sudden crashes but would not otherwise experience any anomalous behavior.

Failed attacks would result in an email with the message: “This message has no content.” However, a failed attack may go unnoticed if the attacker is able to carry out a successful attack and delete the email.

The exploit was discovered in all tested versions of iOS from the current version of iOS13 to iOS6, which was issued when the iPhone 5 was released, the report stated.

ZecOps recommends that users disable the Mail app until a patch is available and said that other email applications available on iOS devices such as Outlook and Gmail do not share the vulnerability.


Please enter your comment!
Please enter your name here