A flaw in the iOS Mail app could have given hackers easy access to your emails for years

Apple pushed a fix in the latest iOS beta. Before that reaches everyone, you should use a different app like Gmail or Outlook.

stockcam/iStock Unreleased/Getty Images

Apple's Mail client for iOS has a serious vulnerability that, when exploited, would allow hackers to leak or delete your emails. Cybersecurity firm Zecops identified the flaw and reported it to Apple, which has developed a fix but not yet rolled it out. Zecops believes "with high confidence" that the vulnerability has been exploited to attack a range of high-profile targets including Fortune 500 executives and journalists.

Not your standard email hack — The flaw is particularly dangerous because the standard advice around avoiding suspicious emails does not apply here. This is a "zero-click" flaw, meaning a victim can be affected without even clicking a malicious link or downloading an attachment. On iOS 13, even just downloading the malicious email can trigger the exploit, and users shouldn't notice anything wrong with their phone once infected. In iOS 12 or earlier, users need to open the email but don't need to do anything further.

Zecops says the hack works by sending an email that overwhelms the phone's RAM. The hacker can then write over emails in your inbox, and even delete their malicious email that triggered the exploit, cleaning up their tracks so you don't notice anything odd.

The bug has apparently been present in the Mail app since as early as 2012.

Apple has developed a patch — Though Zecops says it hasn't been rolled out to users yet. The firm decided to publicly disclose the issue before it's fixed because Zecops feels users should be informed and able to switch to a safer email client in the meantime.

iOS beta version 13.4.5 includes the fix, so users should either install that or switch to an alternative client for now. Outlook for iOS is quite good, and supports all the major email services. You should also make sure to disable the Mail app by revoking its access to your email accounts.

Zecops has a full blog post detailing the exploit if you'd like to learn how it works.