The native Mail app for iOS, one of the most commonly used apps by millions of iPhone owners around the world, contains a flaw that makes it vulnerable to attack by hackers, and has done so since 2012. Or so a security report published yesterday would have you believe.
The research term at ZecOps (a San Francisco-based "cybersecurity automation company") says the vulnerability "enables an attacker to remotely infect a device by sending emails that consume significant amount of memory". This "resource exhaustion" is possible with normal-seeming emails - it is not dependent on the size of the email.
Most alarmingly, the firm insists that, on iOS 13 at least, it enables 'zero-click' attacks; merely opening the Mail app in the background is enough to trigger the infection. In iOS 12 you may have to click on the email, although even here this won't be necessary if the hacker has control of the mail server.
ZecOps says the vulnerability has existed since iOS 6 in 2012. That such a significant flaw in such a widely used app could remain unpatched for so long seems scarcely believable, but this sort of thing is not unknown - the quantity of code on the average platform is so vast that companies often don't spot a flaw until security researchers (hopefully) or hackers (hopefully not) spot it for them.
The usual practice in white-hat circles is to inform the company quietly and not disclose the flaw publicly until it's fixed, so you don't lay users open to attack by newly informed hackers. That's only partly the case here: Apple has had time to issue a patch in the latest beta of iOS, but not in the public version. "If using a beta version is not possible," ZecOps airily advises, "consider disabling Mail application and use Outlook or Gmail that are not vulnerable."
Not everyone is convinced by the revelation, however. As The Verge points out, ZecOps has not disclosed any evidence, ostensibly because of privacy concerns in some cases and in others because it believes emails have been remotely deleted by the attackers.
The firm does say, however, that a number of high-profile individuals have been successfully targeted by the attack. Among suspected targets it lists "Individuals from a Fortune 500 organisation in North America, an executive from a carrier in Japan, a VIP from Germany, MSSPs from Saudi Arabia and Israel, a journalist in Europe and an executive from a Swiss enterprise". It seems reasonable that the researchers would not want to name these individuals, but it's also not proof.
For advice on improving your device's protection against attacks like this, read our roundup of iPhone security tips. But if you're worried about malware, try not to be; nine times out of ten it will be something else like a misbehaving app or website. We have a tutorial showing How to remove a virus from an iPhone if the worst comes to the worst.
Apple has now responded to the discovery of the Mail security flaw - you can read about that here: Apple: Vulnerability in iOS Mail is harmless.