Click to Skip Ad
Closing in...

Apple admits there’s a new iPhone security flaw, but says it wasn’t exploited

Published Apr 24th, 2020 6:50AM EDT
iPhone Mail App
Image: Ray Tang/LNP/Shutterstock

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

  • Apple says a newly found set of vulnerabilities that affect the Mail app on iPhone and iPad were not used by attackers.
  • The company who discovered the security issues said it had evidence of attackers exploiting the flaws on unspecified targets.
  • A fix for the Mail app will be available soon to all iPhone and iPad users, as Apple has already patched the vulnerabilities.
  • Visit BGR’s homepage for more stories.

Reports earlier this week said cybersecurity company ZecOps discovered two zero-day security exploits that can affect the default Mail preloaded on iPhone and iPad. One of the flaws would allow remote code execution, while the other could infect the iOS device by sending emails to an iPhone or iPad users. An attacker would be able to combine these attacks to access a user’s emails. Reports also said that Apple had patched the vulnerabilities in the latest iOS 13.4.5 beta version, and the fixes would be rolled out to all users in the coming weeks.

While ZecOps recommends the use of a third-party app like Gmail until the update arrives, and claims that the vulnerabilities have been used on actual targets, Apple says it found no evidence that the iPhone Mail flaws were exploited.

“We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users,” Apple told Reuters in a statement. “The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers.”

ZecOps’ chief executive Zuk Avraham said he found evidence that the vulnerabilities were used in at least six cybersecurity break-ins, going back as far as January 2018. The exec did not provide additional information about said hacks, but he did say he could not determine who the hackers were. According to previous reports, the targets included execs at unnamed companies and government officials.

In response to Apple’s statement, ZecOps added that it found evidence of related hacks against “a few organizations,” and that it would share more details on the matter once the software update is available to the public.

It’s not uncommon for security researchers to discover severe bugs in software that would give hackers access to a device. Several companies, including Apple, offer cash incentives for researchers to disclose potential security flaws. As with ZecOps’s findings, researchers usually explain those vulnerabilities to the public in greater detail once the security issues have been mitigated and a software patch is in place.

If you’re worried about the security of your emails, you can always ditch Mail in favor of Gmail or Outlook until the iOS 13.4.5 release rolls out.

Chris Smith Senior Writer

Chris Smith has been covering consumer electronics ever since the iPhone revolutionized the industry in 2007. When he’s not writing about the most recent tech news for BGR, he closely follows the events in Marvel’s Cinematic Universe and other blockbuster franchises.

Outside of work, you’ll catch him streaming new movies and TV shows, or training to run his next marathon.