Click to Skip Ad
Closing in...

Apple has yet to fix a mysterious iMessage bug spotted by Google researchers

Published Jul 30th, 2019 6:04PM EDT
iMessage bug
Image: Pictures/Top/REX/Shutterstock

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

Next week in Las Vegas at the Black Hat security conference, Google Project Zero researcher Natalie Silvanovich is set to give a presentation about interactionless iPhone vulnerabilities that can run without the victim taking any action at all. The talk will come on the heels of Silvanovich and a Google Project Zero colleague, Samuel Groß, discovering half a dozen iOS vulnerabilities that can be exploited via iMessage — although five of those flaws, according to ZDNet, were fixed with last week’s iOS 12.4 update.However, Apple has as of the time of this writing apparently not yet completely fixed the final bug. The iOS 12.4 release actually patched all six flaws, but according to Silvanovich, the release didn’t fully resolve the sixth flaw, which is consequently being kept under wraps for now.

It should go without saying, if you’re not yet running the latest iOS release, certainly stop what you’re doing and update right now. Details about flaws like these are so sought-after by hackers that they can fetch more than $1 million each on the black market. Meaning, the vulnerabilities the Google researchers told Apple about could have easily been worth more than $5 million, with a more optimistic estimate of their value being as high as almost $10 million. 

A quick note about the flaws themselves: It seems that the not-yet-fully-fixed sixth flaw, along with three others, present themselves after a hacker sends an iMessage to someone that contains code which can attack a phone that’s not running the latest iOS software. The other two flaws utilize a memory exploit.

These kinds of interactionless vulnerabilities are frequently described as “holy grails” for attackers, and ZDNet’s report even cites one estimate that Google’s researchers could have stood to make as much as $24 million if they’d sold them to shady actors. Needless to say, Silvanovich’s talk scheduled for next week has already attracted significant interest.

Andy Meek Trending News Editor

Andy Meek is a reporter based in Memphis who has covered media, entertainment, and culture for over 20 years. His work has appeared in outlets including The Guardian, Forbes, and The Financial Times, and he’s written for BGR since 2015. Andy's coverage includes technology and entertainment, and he has a particular interest in all things streaming.

Over the years, he’s interviewed legendary figures in entertainment and tech that range from Stan Lee to John McAfee, Peter Thiel, and Reed Hastings.