A zero-day vulnerability in Apple’s Mail application for iOS has been used to target high-profile victims around the world for more than two years, according to ZecOps research published Wednesday.
The flaw, which ZecOps uncovered through conducting a routine digital forensics and incident response investigation, is triggered by sending emails that consume a “significant amount” of a device’s memory. From there, hackers could gain access to email accounts via Mail, gaining the ability to leak, modify, or delete emails.
If the attackers want to cause additional harm and gain further access to victim devices, it “would require an additional infoleak bug [and] a kernel bug afterwards,” the researchers write in a blog that details their findings.
ZecOps assesses with “high confidence” that individuals at a U.S. company in the Fortune 500, managed security service providers from Saudi Arabia and Israel, an executive in Japan, a journalist in Europe, and a high-profile individual from Germany were among the accounts targeted via the vulnerabilities.
Apple has issued a patch in the beta version of iOS 13.4.5 for the vulnerabilities ZecOps disclosed Wednesday. Apple did not immediately return request for comment on other patches or remedies available for iPhone and iPad users at this time.
The vulnerability required little interaction with users, as it can be triggered without downloading the entire email, the researchers said. On iOS 13, users don’t have to perform any action for the exploitation to take place at all. On iOS 12, victims have to at least click on the email.
But for victims there may be some indications they have encountered malicious emails. On iOS 12, the Mail application may crash unexpectedly after the vulnerability is exploited, according to ZecOps. On iOS 13, users may experience almost imperceptible slowdowns.
Unfortunately, in some cases it appears that the hackers that have leveraged the vulnerabilities have deleted the emails that triggered the hack in the first place, making it more difficult to trace the attack.
ZecOps doesn’t have clear visibility into who the attackers are, but believes they may be linked with “at least one nation-state threat operator,” who may have bought the exploit from a third-party reseller.