iOS leak allows access to device via unopened mail
Details have emerged of a vulnerability in iOS that allows a malicious person to access the mail client through a mail that users do not need to open. The only thing users will notice about the attack is that the Mail app is temporarily slower. Apple is working on a fix.
The attack gives access to users’ emails, but another leak could also give attackers broader access, writes security company ZecOps. It would be a leak that would be used for targeted attacks on specific people. ZecOps says the leak has been exploited for attacks on companies including top executives, but Motherboard has not been able to confirm that.
Users do not have to click on the email for the attack to succeed, according to ZecOps. The content of the mail is too large for the software. How big that should be depends partly on the working memory of the phone. After that, an attacker can delete the mail to erase traces.
Apple will distribute a fix with the next minor update to iOS. It is already in the beta of iOS 13.4.5. Users can also deactivate the Mail app. Other mail clients such as Gmail and Outlook are not affected and can therefore be used safely until the update. ZecOps says it notified Apple in February, but already wanted to publish to alert users to the existence of the vulnerability.