iMessage is going to run the main “candies” for iOS attackers, as the iPhone messaging service is showing quite a lot of security flaws lately. After resolving the latter, a Google security engineer has rediscovered a critical bug on the platform that allows an attacker to gain access to private data stored on an iPhone.
The most serious iOS bugs we have encountered in recent months were related to Apple’s communication apps. For example, at the beginning of the year FaceTime allowed a user to be heard and even seen before a call was answered on the iPhone, even without the “victim” knowing.
But iOS 12 has also presented problems in iMessage . A problem with the messaging app sent messages to unwanted recipients and now the problem is even greater, because the iOS 12 bug that affects the app allows access to the data we host on the phone.
Up to 5 different bugs in iMessage
Natalie Silvanovich has been the security researcher who is part of the Google team who claims to have discovered not one or two, but up to five bugs in iMessage. Of all of them, Apple already has information so the company should already be working on a solution.
Most of them are failures that affect operation, since they affect remote memory that can cause unexpected closures in the app. However, there is one, identified as CVE-2019-8646, that allows “an attacker to read files from a remote device with no user interaction”. In other words, it is a backdoor for cybercriminals to access iPhone content using this iOS 12 fault and, specifically, and iMessage.
This particular bug has been corrected in iOS 12.4, so if for the reason that it was not yet updated your iPhone to this version of the operating system, prior to the arrival of iOS 13, you are not too bad if you do it immediately.
There is a 5th error that security researchers have not provided any more data I decide on Apple’s 90-day disclosure policy, but we assume that it is a bug in which, as we said a few lines above, Apple is already working so that it is solved at the time it is made public.