Security researchers have found two critical vulnerabilities in Apple’s Mail app that allow attackers to take over an iPhone or other iOS devices by simply sending users a specially-crafted email. Reportedly, hackers have been exploiting the flaws since 2018.
Apple’s iOS 13 has received several bug fixing updates in its six month lifespan so far, among the most notable: a patch that addressed killing of background apps, another that drained your battery for no apparent reason, one that prevented from using the camera, or track your precise location even if you had expressly disabled that in settings. These new vulnerabilities however sound considerably more serious.
Two security flaws have been found on the default Mail app that comes pre-installed on all iPhones and iPads. According to a report from security research group ZecOps, several high-profile people have been targeted by hackers since January 2018, including an executive from a telecom company in Japan, a European journalist, an executive from a Swiss enterprise, and individuals from an unnamed Fortune 500 company.
The severity of the two flaws is highlighted by the fact that unlike most email-based attacks — which typically require the user to click a link and visit a website — this flaw makes it possible for hackers to take over your phone by simply opening the Mail app and displaying a specially-crafted malicious email. This is referred to as a “zero-click vulnerability.”
Researchers note that the attacks exhibit many of the particularities observed in other operations of a certain state-sponsored hacker group, but they didn’t want to give a name. But more importantly, the two vulnerabilities have been confirmed to date as far back as iOS 6, which was released in 2012.
For a regular user, the most they’d notice is a little sluggishness in navigating the Mail app, or, as you can see in the image above, emails that appear to have no content and can’t be displayed. In more rare instances, the Mail app would crash after trying to access your inbox.
ZacOps alerted Apple about the two vulnerabilities in February, but a fix is only available in the iOS 13.4.5 beta for the time being, which means you’ll have to wait until Apple releases it to the general public.
On the other hand, you can always use an alternative email app like Outlook or Gmail. You may also want to disable your Mail app for now, by going to Settings -> Passwords & Accounts and disable the Mail toggle under each email account you are using.