【China Archives】

A newly disclosed iPhone vulnerability gives hackers yet another reason to love email.

According to the San Francisco-based security firm ZecOps,China Archives bad actors have discovered a way to attack iOS devices via their default email app. And here's the real kick to the guts: In some cases, you don't even have to be tricked into opening the email. The damage is done simply by your phone downloading the malicious email in the background.

ZecOps published details of the vulnerability on Monday, claiming it has seen the attack "widely exploited in the wild." In other words, ZecOps is saying this isn't just some theoretical bug. Rather, people have actually used it in targeted attacks. The vulnerability affects, to some degree, every version of Apple's operating system from iOS 6 and up.

---

You May Also Like

---

---

"The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume significant amount of memory," explains ZecOps. "The vulnerability can be triggered before the entire email is downloaded, hence the email content won’t necessarily remain on the device."

Phones running iOS 13 are particularly vulnerable, as they reportedly don't even need to open the email for it to do its work. If you're running iOS 12, you're a tad bit better off — you have to click the email first, but your phone is ultimately still at risk if you do so.

Mashable Light Speed Want more out-of-this world tech, space and science stories? Sign up for Mashable's weekly Light Speed newsletter. By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy. Thanks for signing up!

We reached out to Apple to both confirm ZecOps report and to determine when, if ever, it plans to issue a patch. Apple confirmed that a vulnerability in Mail is patched in the iOS 13.4.5 beta, which is out now, and will be included in an upcoming software update.

This, reportedly, is what a failed attack looks like on an iPhone. Credit: zecops

At present, assuming you're not running a beta version of iOS, ZecOps says there is no way to prevent this attack other than to disable the default iOS mail app.

So, should you actually be worried about this? Well, that depends. Are you someone with valuable information that a nation-state might want a piece of? If so, then possibly.

Victims of this attack, claims ZecOps, include "individuals from a Fortune 500 organization in North America," "an executive from a carrier in Japan," "a VIP from Germany," "[managed security service providers] from Saudi Arabia and Israel," and "a Journalist in Europe."

SEE ALSO: As coronavirus spreads, yet another company brags about tracking you

In other words, your average Joe doesn't need to stress about this too much.

Still, it's worth keeping in mind that no operating system is completely hack-proof. And yes, that even includes Apple's. Oh yeah, and it also serves as a stark reminder that you should always make sure your phone is running the latest version of iOS — whether you're an average Joe or not.

Topics Apple Cybersecurity iOS iPhone

• Entertainment
• Digital Culture
• Science
• Games
• Shopping
• Life
• Deals
• Tech

• NYT Strands hints, answers for May 5
• Stevie Smith’s Eccentric Reading Style
• Need the Right Description? Let the Mustache Be Your Guide
• Remembering SimCity and Seeing Cities As Characters
• A Typical Wall Street Republican
• Three Millennia Later, Scholars Still Struggle with Sappho
• Best Garmin deal: Garmin epix smartwatch on sale for $200 off
• What is a karmic relationship?
• Outdoor speaker deal: Save $20 on the Soundcore Boom 2
• Google launches pizza mini

• NASA spots a telltale 'Star Trek' sign on Mars
• 27 times J.K. Rowling was the hero we all needed in 2016
• Genius said it used morse code to catch Google stealing lyrics
• Apple's Tim Cook urges Stanford students to take responsibility
• Instagram makes it easier to take back hacked accounts
• 'Toy Story 4' justifies its own existence by questioning it: Review
• Prince Harry and Meghan Markle release first photo of baby Archie
• Jake Gyllenhaal reveals to Ellen what he wears to bed
• What to stream with your dad Father's Day weekend 2019
• Many health and wellness apps haven't done research to back up claims

• Mary Shows Up
• TikTok and Billboard now have their own music chart
• Roz Chast‘s Ideas for the Paris Review Revel, Circa 1985
• Max Blecher‘s Adventures in Immediate Reality
• Samsung Unpacked stream is set for May 12, 2025
• New Lovers: A Publisher’s Quest to Redefine Erotica
• In Alec Soth's New Photographs, a Fresh Take on Public Space
• Viral TikTok air fryer smashed Brussels sprouts delivers on its promise
• Astronomers saw one galaxy impale another. The damage was an eye
• New Lovers: A Publisher’s Quest to Redefine Erotica

• What cracked the Milky Way's giant cosmic bone? Scientists think they know.
• 'The thing that killed' Twitter meme argues everyday tasks are actually famously deadly
• Yasmina Reza on the Frivolous and the Profound
• Staff Picks: DeLillo, Jean Merrill, Cabinet, and More
• Your 'wrong person' texts may be linked to Myanmar warlord
• Apple iPhone 15 preorder details: How to buy it
• Finally! BTS open individual Instagram accounts
• On Train Delays and Selfishness
• Dyson V8 Plus cordless vacuum: $120 off at Amazon
• Get up to $154 off Shark robot vacuums at Best Buy