While considered a safer alternative to Android devices, the iPhone is not without its vulnerabilities, including an iOS default Mail app flaw that might have already affected a number of owners.
Very few products, if any, are totally safe. However, there are degrees of danger and with Android’s more open nature, it can be easier for hackers to get away with successful attacks using Google's platform than Apple's. This particular one is not only noteworthy because it affected Apple’s iPhone, but also because it has been deemed a zero-click exploit.
The details on the vulnerability comes from a new posting by ZecOps. The researchers explain how they found an exploit that only required the sending of an email to an iOS account on an iPhone or iPad, and how the receipt of the email itself was enough to trigger the exploit on iOS 13. At the base level, the attack could allow hackers to gain access to the inbox and its contents, but if coupled with another attack, it could be used to more devastating effect. Adding to the severity of the issue, the researchers explain that all tested versions of iOS (6 and up) were vulnerable, and that they believe that attacks have already taken place on enterprise users, VIPs, and MSSPs, at a minimum. Furthermore, they were able to trace attacks dating as far back as January 2018. For reference, the exploit is specific to the default Mail app with the researchers noting that third-party mail services, including Gmail and Outlook, were not affected.
iPhone Exploit Without User Intervention
What makes this exploit so concerning is that it required no action by the user other than receiving the email and opening it When it comes to iOS 13, or if the hacker was already in control of the server, then even opening the email was not required. Typically, an exploit would require the user to visit a link, or download a file, but none of those additional actions - that users are so often warned about - mattered here. Once the email was opened, as most people will naturally do, the exploit was already achieving its goal. As an added negative - or benefit to the hackers - this also meant the attack could take place without the user actually being aware it had.
For now, it looks like the threat has largely been averted as according to the security posting, Apple was made aware of the issue last month. In addition, the iPhone-maker has also rolled out a patch as part of the iOS 13.4.5 beta release, and it would be expected that the same patch will eventually make its way to non-beta versions as well. While this still means it is technically out there, and the researchers have warned of the potential for an increase in attacks now that's existence is public knowledge, iPhone owners can take extra precautionary action if they want to by switching to the beta. Either way, it is highly advisable that any iPhone owner immediate applies any iOS update as soon as Apple makes one available.
Source: ZecOps