A bug in iPhones and iPads could have left people at risk of having their iPhones broken into and their personal information looked at, security researchers have claimed.
Just one email could be enough to crash the phone and use that to access the sensitive data contained on it, according to the researchers.
Apple will fix the bug in its operating systems that allowed hackers to break in through its email client, the Mail app.
More than half a billion devices could have been liable to the exploit, according to the security researchers who found it.
The bug was found by San Francisco security company ZecOps while it was investigating a sophisticated attack against one of its clients, which took place at the end of last year, it claimed. The company then found evidence that it had been exploited in at least different cyber attacks, according to ZecOps chief executive Zuk Avraham.
Apple has confirmed that the major vulnerability exists in the email software and that a fix is on its way. The update will come in a new version of the operating system that will come to its iPhones and iPads.
But it did not comment on claims that the bug could be triggered with just one email, or claims that it had already been used on high-profile people. While ZecOps claimed the bug has been used as far back as 2018 by unknown hackers, that claim is yet to be independently verified.
The attack would arrive in the form of an apparently blank email, according to Mr Avraham, which when opened would cause the Mail app to crash and then reset itself. It was that apparently innocent issue that opened up the exploit for hackers, who would then be able to take photos and contact details, he said.
Mr Avraham said that the bug was found when it was used against a "Fortune 500 North American technology company", but did not say which. There was evidence it had been used against other companies in Japan, Germany, Saudi Arabia, and Israel, he said.
Avraham based most of his conclusions on data from "crash reports" which are generated when programmes fail in mid-task on a device. He was then able to recreate a technique that caused the controlled crashes.
Two independent security researchers who reviewed ZecOps' discovery found the evidence credible, but said they had not yet fully recreated its findings.
Patrick Wardle, an Apple security expert and former researcher for the U.S. National Security Agency, said the discovery "confirms what has always been somewhat of a rather badly kept secret: that well-resourced adversaries can remotely and silently infect fully patched iOS devices".
Because Apple was not aware of the software bug until recently, it could have been very valuable to governments and contractors offering hacking services. Exploit programs that work without warning against an up-to-date phone can be worth more than $1 million.
While Apple is largely viewed within the cybersecurity industry as having a high standard for digital security, any successful hacking technique against the iPhone could affect millions due to the device's global popularity. In 2019, Apple said there were about 900 million iPhones in active use.
Bill Marczak, a security researcher with Citizen Lab, a Canada-based academic security research group, called the vulnerability discovery "scary".
"A lot of times, you can take comfort from the fact that hacking is preventable," said Marczak. "With this bug, it doesn't matter if you've got a PhD in cybersecurity, this will eat your lunch."
Additional reporting by Reuters
