The default email app on iPhones and iPads is vulnerable to a remote code execution attack which has not been patched on the live version of iOS.

Researchers at ZecOps found an iOS security flaw that allows a specially crafted email to cause memory overflow in Apple devices, opening an exploitable attack surface without needing user interaction.

An affected user might only notice their phone has slowed down or that the Mail app has crashed unexpectedly.

But behind the scenes, their phone has already processed a malicious email – one that was either sufficiently large to make the Mail app’s truncate function fail or caused the device to constantly remap the email’s data well beyond its memory threshold.

Either way, the attackers would have triggered an overflow that could allow them to view, modify, or delete emails without the user’s awareness.

Combined with other kernel vulnerabilities, the mail attack could even let attacks execute other exploitable code and potentially take control of the system.

You’re better off with Gmail

Since ZecOps alerted Apple to the vulnerability in February, the company has so far only patched the flaw in its beta for iOS 13.4.5.

Despite a fix only finding its way into a beta update, ZecOps decided to publicly disclose the bug, having first warned Apple it would do so.

“It is our obligation to the public, our customers, partners, and iOS users globally to disclose these issues so people who are interested can protect themselves by applying the beta patch, or stop to using Mail and temporarily switch to alternatives that are not vulnerable to these bugs,” the company said.

“We hope that with making this information public, it will help to promote a faster patch.”

The exploit affects all iOS versions on devices at least as early as the iPhone 6, which was released in 2012.

Cybersecurity researcher with Tenable, Satnam Narang, said users were better off not using the default mail app until a full patch is released.

“While Apple has issued fixes for these flaws in the beta version of iOS 13.4.5, devices are still vulnerable until the final version of iOS 13.4.5 is readily available to all iOS device owners,” Narang said.

“In the interim, the only mitigation for these flaws is to disable any email accounts that are connected to the iOS Mail application, and use an alternative application, such as Microsoft Outlook or Google’s Gmail."

A long time coming

ZecOps was unwilling to attribute the use of this iPhone vulnerability to specific groups, though it discovered evidence that the vulnerability had been used as early as 2018.

“We believe that these attacks are correlative with at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a Proof of Concept (POC) grade and used it ‘as-is’ or with minor modifications,” ZecOps said.

“We are aware that at least one ‘hackers-for-hire’ organisation is selling exploits using vulnerabilities that leverage email addresses as a main identifier.”

The cybersecurity firm also found business executives and VIPs had been hit with this attack.

High-profile people are frequent targets for cyberattacks – especially when their email service holds potentially valuable and sensitive information.

Earlier this year, news broke that Amazon CEO, Jeff Bezos, allegedly had his phone hacked by a Saudi Prince.

Spyware installed on the phone through WhatsApp caused the leaking of private information about Bezos’ divorce.