Vulnerability in iOS 12 allows attackers to retrieve files from Apple devices without user interaction

Published : 01/08/2019

Reference:
Advisory #2019-019

Version:
1.0

Affected software:
iOS 12 (>12.4)

Type:
Remote data exfiltration

CVE/CVSS:
unrated

Sources

https://bugs.chromium.org/p/project-zero/issues/detail?id=1858&can=1&q=label%3AiMessage&colspec=ID%20Status%20Restrict%20Reported%20Vendor%20Product%20Finder%20Summary
https://www.bleepingcomputer.com/news/security/apple-imessage-flaw-lets-remote-attackers-read-files-on-iphones/
https://www.zdnet.com/article/google-researchers-disclose-vulnerabilities-for-interactionless-ios-attacks/

Risks

Remote data exfiltration without user interaction.

Description

An attacker can send a specially crafted iMessage to a vulnerable Apple iOS device, resulting in remote data access. This leads to privacy risks, such as having your photos, text messages, etc leaked on the public internet, we advise to patch your iOS device(s) now.

Recommended Actions

CERT.be recommends all users of Apple iOS devices to upgrade their devices to the latest version of iOS today.

remark: Only iPhone models 5s and later, iPad Air (and later iPad models), iPod Touch 6th generation and later are able to run iOS 12. This vulnerability only exists in iOS 12.

References

https://support.apple.com/en-us/HT210346