A cybersecurity expert company has discovered a vulnerability that affects the iOS Mail app and puts and users' data at risk
Apple's email client, namely the Mail app, is dangerous because it has a serious vulnerability. And for a very long time: since iOS 6 came out in 2012. This was discovered by cybersecurity firm ZecOps, which is also convinced that this vulnerability has already been exploited at least once.
Using this vulnerability, a hacker could execute malicious code (i.e. malware or a virus) on a person's device, in some cases even without the user having to click on any links or download files: it's a bug in the Mail app and iOS, which can be exploited by sending the victim a regular email. The problem, ZecOps explains, is that devices with iOS 13 are even easier to attack than those with iOS 12 or earlier. The first real case of an attack that exploits this vulnerability, according to the electronic security company, dates back to January 2018 when a device with iOS 11.2.2 was attacked. The solution? There isn't one: Apple hasn't yet released a patch for the operating system or Mail that could close the flaw.
Why the Mail app is dangerous
The vulnerability discovered by ZecOps consists of a bug that allows a hacker to remotely execute code if it sends the potential victim an email that consumes a lot of RAM. You don't need a large message - just properly pack the email to dramatically increase memory consumption. Once that's achieved, the vulnerability comes into play, which ZecOps didn't describe in detail, however, to give Apple time to close the flaw.
No click needed
The vulnerability can be triggered before the entire email is downloaded, so its contents won't necessarily remain on the device and, therefore, may not even leave a trace. It's possible that there have been quite a few such attacks, without anyone being able to notice. Also because, on iOS 13, it is not necessary for the user to click on any links or download any attached files. On iOS 12 or earlier, however, user action is required. In any case, the attack starts even before the device displays the email message. As there is no patch for this vulnerability yet ZecOps advises all Apple users not to use the Mail app and temporarily replace it with an equivalent one.