Security researchers discovered a pair of zero-day vulnerabilities in the Mail apps on iPhone and iPad, which were exploited by attackers.
ZecOps, a San Francisco-based cybersecurity company, said they discovered two vulnerabilities in the default iOS and iPadOS email applications during routine digital forensics on customer devices.
After further investigation, they found evidence of targeted attacks, and they outlined the two vulnerabilities in a report on Wednesday.
These vulnerabilities allow attackers to run remote code by using specially crafted mail by exploiting the MobileMail and Mailid processes in iOS 12 and iOS 13.
Moreover, if triggered properly, users will not know that they have been hacked. Researchers say that the variant of the vulnerability can be traced back to at least iOS 6.
Because the vulnerability was used to attack users before Apple issued a patch, it was regarded as a zero-day attack. Usually, the zero-day vulnerability in iOS is very rare and the price is very expensive.
For its part, these vulnerabilities do not pose too much risk to users-they only allow attackers to read, modify, or delete emails.
But if combined with another kernel attack, such as the unpatchable Checkm8 vulnerabilities, these vulnerabilities may allow bad actors to gain root access to specific target devices.
At least one of these vulnerabilities can be triggered remotely without any user interaction. This kind of attack is called "zero click". ZecOps added that the second vulnerability was probably discovered accidentally when trying to exploit "zero click" .
ZecOps found in its report that some of its customers were targeted, including employees of a Fortune 500 company in North America, a reporter in Europe, and a VIP in Germany.
Interestingly, although there is evidence that these vulnerabilities were executed on the target device, the email itself does not exist. This shows that the attacker deleted these emails to cover up his whereabouts.
ZecOps said that ZecOps issued a vulnerability alert to Apple in February. Since then, both vulnerabilities have been patched in the latest beta version of iOS 13, and the fix will appear in iOS and iPadOS 13.4.5 in the next public iOS update.
