Apple finds no evidence hackers exploited iPhone and iPad email flaw

San Francisco-based ZecOps said flaw can be used in attacks conducted by an advanced threat operator

People wearing face masks following the coronavirus disease (COVID-19) outbreak are seen at an Apple store as the new iPhone SE goes on sale, in Hangzhou, Zhejiang province, China April 24, 2020. China Daily via REUTERS  ATTENTION EDITORS - THIS IMAGE WAS PROVIDED BY A THIRD PARTY. CHINA OUT.
Powered by automated translation

Apple said it found no evidence of cyber criminals exploiting newly discovered vulnerabilities in its email app for iPhone and iPad, software used by hundreds of millions of people worldwide.

The company is countering assertions by cyber-security firm ZecOps that software flaws may have allowed hackers to infiltrate iPhones and other iOS devices for more than a year.

Apple launched an investigation and said in a statement the mail issues were insufficient by themselves to allow attackers to bypass built-in security, adding it will issue a fix soon.

“We have thoroughly investigated the researcher’s report and based on the information provided, have concluded these issues do not pose an immediate risk to our users,” Apple said.

“The researcher identified three issues in mail, but alone they are insufficient to bypass iPhone and iPad security protections… we have found no evidence they were used against customers.”

San Francisco-based ZecOps said on Wednesday the vulnerability can be exploited when a specially crafted email is opened on the app by an iPhone or an iPad.

The flaws may have been used in attacks conducted by “an advanced threat operator,” it said in a report.

Among the victims were “individuals from a Fortune 500 organisation in North America” and “an executive from a carrier in Japan,” as well as “a journalist in Europe”, ZecOps said.

The vulnerabilities may have been exploited by attackers since January 2018, it added.

The bugs were disclosed publicly when Apple issued a beta update and attackers “will likely use the time until a patch is available to attack as many devices as possible,” ZecOps predicted.