Apple Finds No Evidence Hackers Exploited iPhone, iPad Mail Flaw

Apple Inc. said it found no evidence of cyber-attackers exploiting newly discovered vulnerabilities in the Mail app for iPhone and iPad, software potentially used by more than a billion people worldwide.

The U.S. company is countering assertions by cybersecurity company ZecOps Inc. that software flaws may have allowed hackers to infiltrate iPhones and other iOS devices for more than a year. Apple launched an investigation and said in a statement the mail issues were insufficient by themselves to allow cyber-attackers to bypass built-in security, adding it will issue a fix soon.

“We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users,” the Cupertino, California company said. “The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers.”

San Francisco-based ZecOps responded to Apple’s denial Friday, reiterating that the vulnerability it had found had been exploited against “a few organizations.” In a statement, the company thanked Apple for working on a software patch and said that it “will release more information” after the patch is available.

ZecOps’s report about the vulnerabilities, released on Wednesday, said that the flaws can be exploited when a specially crafted email is opened on the app by an iPhone or an iPad. This have been used in attacks conducted by “an advanced threat operator,” it said in the report. Among the victims were “individuals from a Fortune 500 organization in North America” and “an executive from a carrier in Japan,” as well as “a journalist in Europe,” ZecOps said.

The vulnerabilities may have been exploited by attackers since January 2018, according to ZecOps. The bugs were disclosed publicly when Apple issued a beta update, and attackers “will likely use the time until a patch is available to attack as many devices as possible,” ZecOps predicted.