Apple insists big Mail app security flaws have not been exploited

Apple insists big Mail app security flaws have not been exploited


Mail app inbox
Nothing to worry about?
Photo: Ste Smith/Cult of Mac

Apple insisted on Friday that there is no evidence to suggest serious security flaws in its Mail app have been exploited.

The company says the issues do not pose an immediate risk to iPhone and iPad users. Its statement seems to dispute earlier claims from security researchers, who published details of at multiple suspected “attacks” on Wednesday.

“We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users,” Apple told Bloomberg.

This comes after cybersecurity firm ZecOps revealed that it had discovered “a number” of vulnerabilities in the Mail app that date back as far as January 28. It warned that the flaws could be exploited without a user’s knowledge.

Apple says users are safe

ZecOps stated, with “high confidence,” that the vulnerabilities had been used “in the wild in targeted attacks.” It listed a number of targets, including individuals from a Fortune 500 company in the U.S., and a journalist in Europe.

Others included a carrier executive in Japan, an executive from a Swiss enterprise, and security providers in Israel and Saudi Arabia.

ZecOps also warned that it was aware of at least one “hackers-for-hire” organization that is selling exploits that might take advantage of the Mail app vulnerabilities. It advised users to update as soon as a fix is available.

Apple has downplayed these findings, and dismisses the claims that iPhone and iPad users have already been exploited. It also insists that its security protections are enough to prevent potential attacks.

No evidence

“The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers,” Apple added.

Apple did not reveal when a fix for the vulnerabilities might be available. The flaws are still present in iOS 13.4, and in the most recent iOS 13.4.1 beta. Those who are concerned can follow our guide on protecting yourself against a potential attack.


Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.