Over half a billion iPhones are vulnerable to hackers, and iPads are susceptible, too — and Apple is still working to deploy its fix.
The issue — which was discovered by cybersecurity company ZecOps exec Zuk Avraham — lies with Apple’s Mail app, which leaves devices vulnerable to hackers, according to Reuters.
Avraham found a malicious program was exploiting the bug as far back as January 2018, though he’s not sure who was behind the program. He said iPhone owners who were affected were sent a blank email message that crashed the app and forced a reset.
Owners didn’t even have to open the message for the crash to happen, according to The Wall Street Journal. The Mail app downloading it was enough. Hackers could then access the device’s photos, contact, and other data. The vulnerability also left the Mail app susceptible to hackers, including the ability to see private messages.
Avraham doesn’t believe many people have been targeted by the malicious program. Apple said it’s fixed the issue, but it hasn’t yet widely deployed the patch via an update yet.
Though Apple often touts the security of its products, this isn’t the first vulnerability researchers have found this year. In February, software developers found a flaw in Apple iOS’s copy-and-paste system. It affected both iPhones and iPads.
If you hit copy on some text on your device, it would assume you wanted to paste it into the next app you open. But if you accidentally hit copy and opened a different app, it would still be able to access whatever you copied. Essentially, any app or widget would be able to “see” whatever you had copied, if you opened it right after.
Tommy Mysk, one of the developers who found the problem, told Digital Trends that you can help combat the issue by disabling Universal Clipboard on your device.
If you’re wary about having the Mail app on your iPhone or iPad while waiting for Apple to deploy an update for the issue, you can always delete it.
Patrick Wardle, a security researcher at Jamf Software LLC, told the Wall Street Journal that’s probably unnecessary, as the malicious program seems very limited in reach at this point.