ZecOps, a cybersecurity company based in San Francisco, announced today that it had identified two zero-day vulnerabilities impacting the Mail App on iOS, putting Apple users at risk of email theft.
One of the exploits, according to the firm, allows attackers to remotely infect Apple’s iPhones and iPads by sending a special zero-click email to the victim’s mailbox to trigger the vulnerability. The other one requires remote code execution capabilities to trigger it.
Once the vulnerabilities are exploited successfully, the attacker will then be able to access, leak, modify, and even delete the victim’s email remotely.
According to the reports, the targets of this attack are corporate executives and government officials rather than the average Apple users.
“These vulnerabilities are widely exploited in the wild in targeted attacks by an advanced threat operator(s) to target VIPs, executive management across multiple industries, individuals from Fortune 2000 companies, as well as smaller organizations such as MSSPs,” ZecOps researchers said in their Wednesday report.
However, cryptocurrency users with iOS devices could also be a target considering that the crypto industry has become the playground for hackers. The attacker can easily steal valuable information like access to trading platforms and wallets.
Crypto traders are, therefore, advised to take necessary actions to protect themselves by disabling the usage of the iOS Mail App until Apple releases an updated version to fix the vulnerabilities. Users should also use third party mail apps like Gmail, Yahoo, and Outlook – these options are not affected by the bugs.
Binance CEO also suggests that crypto users should use different email addresses for each exchange, as this will reduce risks of the attack, even though that’s quite a task. Traders could also protect themselves by using different passwords, setting 2FA, and using secure apps and websites.
ZecOps further revealed that the exploits affect all Apple’s software versions between iOS 6 and iOS 13.4.1, and they have existed as far back as 2018.
However, Apple said it had patched the zero-days in the latest beta iOS 13.4.5, which will be available in a few weeks.