Your iPhone’s default email App is vulnerable to hacking


iPhone and iPad’s iOS mail has two zero-click security vulnerabilities that allow hackers to spy on you

Your iPhone and iPad running on anything before the iOS v13.5 is vulnerable to remote spying through two zero-click security vulnerabilities in the default iOS mail App. The vulnerabilities are pretty serious and could allow even state-sponsored hackers to steal your confidential information through your default iOS email App.

The German federal cybersecurity agency, BSI has issued a separate warning to iPhone and iPad users to update their devices to the latest Apple iOS version immediately.  “Due to the criticality of the vulnerabilities, the BSI recommends that the respective security update be installed on all affected systems immediately,” the BSI (Bundesamt für Sicherheit in der Informationstechnik) said.

What are the zero-click vulnerabilities in the iPhone and iOS?

Zero-Click vulnerabilities are a serious hacking threat. These vulnerabilities can be exploited without the victim clicking even a single button and are prized by cybercriminals because they don’t require tricking targets into taking any action. The iPhone and iPad default iOS mail App has two such vulnerabilities which can be triggered with a maliciously crafted message. The first vulnerability, tracked as CVE-2020-9819, could lead to heap corruption while the second vulnerability, tracked as CVE-2020-9818, may lead to unexpected memory modification or application termination.

Cybersecurity researchers from ZecOps had disclosed these zero-day vulnerabilities in January 2018 after discovering a state-sponsored hacking campaign on iPhone users. The zero-click attacks were increasingly used to target journalists, activists, and dissidents by known state actors.

“We believe that these attacks are correlative with at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a Proof of Concept (POC) grade and used ‘as-is’ or with minor modifications (hence the 4141..41 strings). While ZecOps refrain from attributing these attacks to a specific threat actor, we are aware that at least one ‘hackers-for-hire’ organization is selling exploits using vulnerabilities that leverage email addresses as a main identifier.”

Since then, Apple has fixed both the zero-days in its iOS 13.5 and iPadOS 13.5 released by improving how the iPhone and iPad handle memory and bounds. These zero-click vulnerabilities affect iPhone 6S and later, iPad Air 2 and later, iPad mini 4 and later, and the iPod touch 7th generation, according to the iOS 13.5 security release notes.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments