Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Two Apple Mail vulnerabilities being used to target iPhone, iPad users

Researchers have found two zero-day vulnerabilities in Mail that were actively used to attack users. Credit: ZecOps

Last updated

Security researchers have discovered a pair of zero-day vulnerabilities in the Mail app for iPhone and iPad that they have found in the wild, and being used by attackers.

San Francisco-based cybersecurity firm ZecOps said that they came across the two flaws in the default iOS and iPadOS Mail app while running routine digital forensics on customer devices. After further investigation, they found evidence of targeted attacks, which they outlined in a report on Wednesday.

The vulnerabilities allow an attacker to run remote code by exploiting Apple's MobileMail and Mailid processes in iOS 12 and iOS 13, respectively, through the use of a specially crafted email. And, if triggered properly, a user wouldn't know that they were being hacked.

Variants of the flaw stretch back to at least iOS 6, the researchers said. Because the vulnerabilities were used to attack users before Apple could issue a patch, they're considered zero-day attacks, which is significant because iOS zero-days are extremely rare and often quite expensive.

By themselves, the flaws don't pose too much of a risk to users — they only allow an attacker to leak, modify or delete emails. But combined with another kernel attack, such as the unpatchable Checkm8 exploit, the vulnerabilities could allow a bad actor root access to a specifically targeted device.

At least one of the flaws can be triggered remotely without any user interaction — an attack known as a "zero-click." ZecOps added that the second vulnerability was likely discovered by accident while attempting to leverage the zero-click. The vulnerability impacting iOS 13 is the zero-click. While the iOS 12 flaw does require users to actually tap on an email, that requirement doesn't apply to attackers who send messages from a mail server that they control.

An example of a failed attack. Succesful ones wouldn't show an error message. Credit: ZecOps An example of a failed attack. Succesful ones wouldn't show an error message. Credit: ZecOps

In its report, ZecOps found that a number of its customers were targeted, including employees at a Fortune 500 company in North America, a journalist in Europe and a VIP in Germany. Interestingly, while there was evidence that the flaws were executed on targeted devices, the emails themselves weren't present. That suggests that the attackers deleted the emails to cover their tracks.

The researchers believe that the attackers were working for a nation-state that had purchased the attacks from a third party, adding that at least one "hacker-for-hire" organization was selling exploits that use email as the main vector.

On the other hand, security researchers who spoke to Motherboard said that the flaw was relatively unpolished compared to other hacks, meaning that sophisticated attackers would probably deem it too risky to use against "high value targets."

Still, ZecOps notes that attacks using the exploits are likely to increase in frequency since they're now publicly disclosed. The researchers said bad actors will "attack as many devices as possible," meaning that normal users could end up targeted. That becomes more dangerous if the exploits were leveraged by cybercriminals with access to additional vulnerabilities.

The vulnerabilities only impact the native Mail application, and not third-party apps. To mitigate the attacks, ZecOps recommends that users stop using Mail on iOS and iPadOS until a patch is issued. MacOS is unaffected.

ZecOps said it alerted Apple to the vulnerabilities in February. Both of the flaws have since been patched in the latest beta releases of iOS 13, and a fix is set to arrive in the next publicly available iOS update in iOS and iPadOS 13.4.5



18 Comments

lkrupp 19 Years · 10521 comments


Still, ZecOps notes that attacks using the exploits are likely to increase in frequency since they're now publicly disclosed. The researchers said bad actors will "attack as many devices as possible," meaning that normal users could end up targeted. That becomes more dangerous if the exploits were leveraged by cybercriminals with access to additional vulnerabilities.But that never seems to actually happen, does it? We get these ominously scary predictions by security researchers advising us to hide under our beds and two days later nobody is talking about them, and life goes on. 

maltz 13 Years · 507 comments

lkrupp said:

Still, ZecOps notes that attacks using the exploits are likely to increase in frequency since they're now publicly disclosed. The researchers said bad actors will "attack as many devices as possible," meaning that normal users could end up targeted. That becomes more dangerous if the exploits were leveraged by cybercriminals with access to additional vulnerabilities.


But that never seems to actually happen, does it? We get these ominously scary predictions by security researchers advising us to hide under our beds and two days later nobody is talking about them, and life goes on. 


Just because it's never happened to you, doesn't mean it never happens... There are plenty of examples where things like this affected tens of thousands (or more) people/websites/systems.

22july2013 11 Years · 3736 comments

I guess you could do what we still do on Windows to protect ourselves - not read emails from unknown sources. However maybe the preview pane is part of the danger here if it "reads" email automatically.

maltz 13 Years · 507 comments

I guess you could do what we still do on Windows to protect ourselves - not read emails from unknown sources. However maybe the preview pane is part of the danger here if it "reads" email automatically.

Nope. This is a zero-click on iOS 13. Merely receiving the email in the background is enough, you don't even have to open the Mail app. In fact, the entire email doesn't even have to be downloaded, so it could be deleted before you ever even see it. https://blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/

ApplePoor 5 Years · 306 comments

Sounds like just owning and using an iPhone using iOS 13means we are screwed