Avoid the iOS mail App Vulnerability to ensure the safety of funds

Constantly monitoring potential security threats is the No. 1 priority at Bitget !

This week, we have learned of a serious exploitable vulnerability in the built-in Mail app on Apple iOS, which was first disclosed by the ZecOps Research Team.

According to the article：

“Following a routine iOS Digital Forensics and Incident Response (DFIR) investigation, ZecOps found a number of suspicious events that affecting the default Mail application on iOS dating as far back as Jan 2018. ZecOps analyzed these events and discovered an exploitable vulnerability affecting Apple’s iPhones and iPads. ZecOps detected multiple triggers in the wild to this vulnerability on enterprise users, VIPs, and MSSPs, over a prolonged period of time.”

The disclosed vulnerabilities have existed since iOS 6 (issue date: September 2012) and affect versions up to iOS 13.

To ensure that you are not affected by this issue, we recommend that you do either of the following:

1. Disable the iOS Mail function

Remove the iOS Mail function by pressing down on the app’s icon. Once all the app icons on the screen start moving, tap the X button in the upper-left corner to remove the Mail app. After that, go to Settings > Password & Accounts. Set Fetch New Data to "Manual" and disable "Push." Use dedicated email clients such as Gmail or Outlook, or a web browser such as Safari or Chrome, to access your email.

2. Upgrade to the latest iOS beta (iOS 13.4.5 beta).

You can do this by following the steps here: https://developer.apple.com/support/install-beta/

According to the ZecOps disclosure, “The vulnerability allows to run remote code in the context of MobileMail (iOS 12) or maild (iOS 13). Successful exploitation of this vulnerability would allow the attacker to leak, modify, and delete emails. Additional kernel vulnerability would provide full device access – we suspect that these attackers had another vulnerability. It is currently under investigation.”

We highly recommend that Bitget users take action immediately in order to prevent potential fund security risks. iOS 13.4.5 will fix the vulnerability once it is publicly released by Apple.