A security company which discovered iPhone Mail vulnerabilities claimed that they have been ‘widely exploited’ in real-world attacks. Apple has now denied this claim, stating that it could find ‘no evidence’ that the exploits have been used.
Additionally, it says that the vulnerabilities in question cannot bypass iPhone and iPad security safeguards …
Background on iPhone Mail vulnerabilities
Apple has acknowledged the three issues discovered by security group ZecOps, and has patched these in the iOS 13.4.5 beta which should be released to the public soon.
However, ZecOps went on to claim that real-world attacks have been carried out by exploiting these vulnerabilities as far back as January 2018 (in iOS 11.2.2). It went so far as to give examples of specific individuals it believes were targeted using the exploit.
Apple’s denial
Bloomberg reports that Apple not only says it can find no evidence to support this claim, but that the vulnerabilities are not sufficient to allow the reported attacks to succeed.
The suspected targets included:
- Individuals from a Fortune 500 organization in North America
- An executive from a carrier in Japan
- A VIP from Germany
- MSSPs from Saudi Arabia and Israel
- A Journalist in Europe
- Suspected: An executive from a Swiss enterprise
The denial is not a complete refutation of the claim. It may be the case that the specific vulnerabilities alone cannot bypass security safeguards, but that they can be combined with existing exploits in order to do so. However, the denial is strongly-worded, suggesting the Cupertino company does genuinely believe that no real-world attacks have taken place.
“We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users,” the Cupertino, California company said. “The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers.”