Apple will patch a newly discovered iPhone vulnerability that security researchers say hackers have already used to steal data from their victims’ devices.
News of the vulnerability dropped Wednesday by security firm ZecOps. Zuk Avraham, the company’s chief executive, said the firm found the bug last year during a routine investigation. At least six organizations were targeted by attackers as far back as 2018, he said.
Avraham said the bug is in the iPhone’s default Mail app. By sending a specially crafted email to the victim’s device, an attacker can overrun the device’s memory, allowing the attacker to remotely run malicious code to steal data from the device, he said.
Worse, the bug doesn’t require any user interaction on the latest version of iOS 13, said Avraham.
The bug dates back to iOS 6, which was first released in 2012. Avraham later confirmed in a tweet that macOS, which also comes with an in-built Mail app, is not vulnerable.
iPhone vulnerabilities are some of the most valuable bugs for hackers because they are so difficult to find. Some buyers will snap up these highly sought-after bug for as much as $1 million. But because these more sophisticated bugs are so valuable, they are typically only ever obtained by well-resourced threat actors, such as governments. These exploits are often used against their targets, such as criminals or terrorists, in highly precise operations. But some governments are also known to target certain ethnic groups, activists and journalists.
To wit, Avraham said in his blog post that the targets of this attack included staff at a U.S.-based Fortune 500 company and a journalist in Europe. Avraham also did not name the apparent hackers but said that at least one of the attackers was likely a nation state.
When reached, an Apple spokesperson did not immediately comment. Motherboard, which first reported the story, said the bug has been fixed in a beta version of the software, and a fix will be rolled out in an upcoming update.
Until then, high-risk users should disable the Mail app for now.