Google researchers discovered six flaws in Apple’s iMessage app that could have been exploited to crash devices or access files remotely.
A team of Google bug researchers says it has discovered six flaws in Apple’s iMessage app, one of which is yet to be fixed.
The firm’s Project Zero is made up of security analysts who hunt for serious vulnerabilities in various software before hackers find them, providing manufacturers with a 90-day deadline before they make the issue public.
The issues found in Apple’s product could have been exploited in a number of ways, such as remotely accessing files or crashing devices.
Five of the flaws were patched in the iOS 12.4 update rolled out last week, but the sixth alleged bug – which Google is not disclosing until the deadline is reached – remains open.
Natalie Silvanovich, one of the researchers who uncovered the flaws, described them as “interactionless”, meaning they can run without the user having to do anything.
The only way one issue could be fixed on an iPhone was by carrying out a complete reboot and recovery leading to data loss, Silvanovich said in her original report in April.
We are withholding CVE-2019-8641 until its deadline because the fix in the advisory did not resolve the vulnerability
— Natalie Silvanovich (@natashenka) 29 July 2019
“For the protection of our customers, Apple doesn’t disclose, discuss or confirm security issues until an investigation has occurred and patches or releases are generally available,” an Apple spokesperson said.
“Keeping your software up to date is one of the most important things you can do to maintain your Apple product’s security.”
Google’s Project Zero was formed in 2014 with the aim of reducing the number of people harmed by targeted attacks. It has previously notified the likes of Microsoft and Facebook about vulnerabilities on their services and platforms.
The news comes shortly after Apple responded to an anonymous whistleblower who claimed that the company’s contractors overheard private conversations through accidental Siri recordings.
Apple said: “A small portion of Siri requests are analysed to improve Siri and dictation. User requests are not associated with the user’s Apple ID. Siri responses are analysed in secure facilities and all reviewers are under strict obligation to adhere to Apple’s strict confidentiality requirements.”
– PA Media, with additional reporting from Kelly Earley