Recently, we discovered a serious vulnerability in the built-in mail client for iOS by Apple. The first information about this vulnerability was disclosed by the research group ZecOps.

After a routine iOS Digital Forensics and Incident Response (DFIR) investigation, ZecOps analyzed these events and discovered an exploitable vulnerability affecting Apple’s iPhones and iPads. ZecOps experts found the vulnerability’s implementations, which have put corporate users, VIP clients, and MSSPs (Managed Security Service Providers) at risk for a prolonged period of time.

According to ZecOps, this vulnerability has existed since iOS 6, which was released in September 2012, and works on versions up to iOS 13.

Apple has already been notified of the vulnerability and partially addressed it. Users are advised to update their system if possible, disable automatic data loading, and the “Push” option on the “Passwords and Accounts” tab, and install an alternative email client.

We strongly recommend that our clients take immediate steps to secure their email, such as installing a temporary alternative email client and updating their system to the latest version.

You can do this by following these steps: https://developer.apple.com/support/install-beta/

The vulnerability will be fixed in iOS 13.4.5.