Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Patches Two Security Vulnerabilities Impacting Mail App in iOS 13.4.5 Beta

zorinlynx said:
That means absolutely nothing. A server you run in the cloud is still your server, it's just a virtual machine or instance running on someone else's hardware. If anything this is slightly LESS secure, as now Google and its employees potentially have access in addition to your company.

I'm not saying that I don't trust your company in particular, just that having my password stored in a non-hashed form anywhere but on my own hardware is unacceptable.
Click to expand...

calm the hell down dude. Stop being so freak about privacy. If you cared so much about it then just become that crazy dude that doesnt use smartphones, social networks, macOS, etc. Privacy is a myth, just by buying a macbook u r already giving information about yourself to Apple. Are you really that innocent to think Apple does not know anything about your e-mail, name, etc? Unless you live in the middle of a jungle, then you are never 100% secure.
 
Last edited:
What's this I read that iOS 12 isn't affected by some of these zero click mail exploits in iOS 13?
Yes there are other zero click exploits all the way back to iOS 6. Not holding my breath for previous iOS updates.
 
So... we just have to wait and use another app till 13.4.5 releases? Is there any actual timeframe on that?
 
Yojimbo007 said:
So what are the effects.. what can they access with this exploit.
And what can one do if one suspects they have already been targeted?
How does one go about clearing/protecting the device till the new ios is released?
Click to expand...

Update:
I talked to Apple support ..
They said the only way to be sure that there is no infection already is to completely erase and reset..... And then restore from backup.

I did and went one step further and enrolled in beta and installed the ios 13.4.5 beta which addresses these vulnerabilities.

It took a couple hours to get it all done and restored.
 
Rigby said:
As long as you are OK with them storing your email account credentials on their servers. If they are breached, hackers not only get access to your email account, but can probably also take over many of your other accounts via password resets.
Click to expand...
Except that Spark requires a generated password from iCloud, so your real password is never compromised.
 
crawfish963 said:
Except that Spark requires a generated password from iCloud, so your real password is never compromised.
Click to expand...
I assume you mean "application passwords", which are used by iCloud Email, Outlook.com and some other services (mainly because IMAP does not support 2FA). But it does not matter. While you can not use "application passwords" to log in to the web interface, they do allow full access to your mailbox. A hacker can simply enter them in an email client just like you do, and then read your emails and start attacking other accounts that are linked to your email address.
 
  • Like
Reactions: tmoehle
tyranne201 said:
calm the hell down dude. Stop being so freak about privacy. If you cared so much about it then just become that crazy dude that doesnt use smartphones, social networks, macOS, etc. Privacy is a myth, just by buying a macbook u r already giving information about yourself to Apple. Are you really that innocent to think Apple does not know anything about your e-mail, name, etc? Unless you live in the middle of a jungle, then you are never 100% secure.
Click to expand...

I'm not being a "freak" about privacy. I'm just following standard security practices, which dictate that plaintext passwords shouldn't be stored anywhere other than in a secure, vetted password manager that only you have access to.

I'm going to be nice, and just say that I hope your careless attitude about security doesn't result in a really bad time for you or someone you love down the road.
 
  • Like
Reactions: tmoehle, chrfr, 1144557 and 1 other person
Yeah, I'm just going to reconfigure a third party mail app with the 7 different accounts I track via mail. :confused:

Already running 13.4.5, so I should be good anyway. :)
 
  • Like
Reactions: YonkaYonka
Nimrad said:
There are also some critical usability issues that need to fixed asap.
Click to expand...

Hence I stopped using the built-in mail app since the past 3 iOS upgrades, no regrets and since 3rd party apps are sandboxed life is good here.
[automerge]1587624047[/automerge]
eoblaed said:
Yeah, I'm just going to reconfigure a third party mail app with the 7 different accounts I track via mail. :confused:

Already running 13.4.5, so I should be good anyway. :)
Click to expand...

You need help for those personalities. ;):p:eek:
[automerge]1587624175[/automerge]
Huntad said:
So... we just have to wait and use another app till 13.4.5 releases? Is there any actual timeframe on that?
Click to expand...

The targets for this exploit are CEO's and high value, do you fit in this group if not then stop loosing sleep and change your PW when it has been patched.
[automerge]1587624474[/automerge]
SeattleMoose said:
Patching "security vulnerabilities" while partnering with Google for new tracking App?....the irony.
Click to expand...

The Contact Tracing app will be pointless unless you opt to:

1. Install the app.
2. Have it open and running in the background.
3. Bluetooth is active.
4. Never activate airplane mode or your phone's battery dies.
5. Close to 80% of the population is using it in your geographical area.

It is another measure to track you under the claim of public health and FUD. No thank you, I prefer my freedom, liberty and privacy (whatever is left of it) rather than be forced into something I have no concern about.
 
Last edited:
MHenyk said:
As a member of the Spark team, I want to assure you that we follow all the recommended industry practices to keep your data safe. Spark needs access to your email account to enable you to read and send emails. This is how every email client works. Our databases are encrypted and all connections are protected with TLS.

To make things as secure as possible, we don't use our own servers. Instead, we rely on Google Cloud which is one of the most secure solutions in the industry, and many tech copies like PayPal or Twitter also use it.

Here, we've explained everything you need to know about Spark's privacy policy:https://sparkmailapp.com/blog/privacy-explained
Click to expand...
Hi
Thanks for your input much appreciated.
It it certain then that using Spark you are not vulnerable to this exploit and do you know by any chance how to get rid of it if you have it?
Or does it just stop if you delete the specific email that's causing the problem- it isn't clear.
Thanks
 
I connected outlook with the mailapp.
So if they are able to delete the „hack-mail“ in ios , i should see it on outlook.com in the trash-file (if they have access to the mail app, they still dont have it to the account itself) is this correct?
 
James Mathers said:
I connected outlook with the mailapp.
So if they are able to delete the „hack-mail“ in ios , i should see it on outlook.com in the trash-file (if they have access to the mail app, they still dont have it to the account itself) is this correct?
Click to expand...
No, you can permanently delete an email message without moving it to the trash.
 
Cristim74 said:
No, you can permanently delete an email message without moving it to the trash.
Click to expand...

but if I receive the mail it is on the outlook-servers.
I see that the hackers can delete the mail from the iOS-mail-app, but if i login into outlook.com the email should be there? I mean they cannot login into my mail account and delete the mail there?
Thank you :)
 
tyranne201 said:
calm the hell down dude. Stop being so freak about privacy. If you cared so much about it then just become that crazy dude that doesnt use smartphones, social networks, macOS, etc. Privacy is a myth, just by buying a macbook u r already giving information about yourself to Apple. Are you really that innocent to think Apple does not know anything about your e-mail, name, etc? Unless you live in the middle of a jungle, then you are never 100% secure.
Click to expand...

Except his point is correct. You realize there is a HUGE difference between giving someone your address and the keys to the front door right? This isn't about giving Apple your name and email address at all.

When you give a 3rd party access to your data, your emails run through that 3rd party server. What if THEIR server is breached? THAT is the point being made; access to Spark's cloud server, nothing to do with the consumer.

Everything that runs through it is then compromised; ie. ALL of your emails. The poster you responded to 100% accurately addressed this.

If someone gets into Spark's server they have access to every email running through it- including password reset requests to hijack your account. They dont NEED any of your data at all to get into your account(s) or take over them

That is the huge risk of using 3rd party apps- you have ZERO idea how secure their end is where every email you get flows through.

crawfish963 said:
Except that Spark requires a generated password from iCloud, so your real password is never compromised.
Click to expand...

Except see above as explained that if Spark's cloud server is breached you are screwed. THAT is the vulnerability. Not on the user end so much






Again this is act at your own informed risk. No one is telling anyone what to or not to use.
 
Last edited:
  • Like
Reactions: chrfr
I’ve been riding hard with Apple mail because I always like stick apps. Even when I was on Android I used their stock apps over others. I just liked the simplicity and integration. I feel betrayed right now and naive. Never using it again. Even after they fix it
 
The Verge - Apple downplays iOS Mail app security flaw, says ‘no evidence’ of exploits
https://www.theverge.com/2020/4/24/...p-security-flaw-statement-no-evidence-exploit
Apple’s full statement can be found below:
“Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.”
 
  • Sad
Reactions: dk001
bogdanw said:
The Verge - Apple downplays iOS Mail app security flaw, says ‘no evidence’ of exploits
https://www.theverge.com/2020/4/24/...p-security-flaw-statement-no-evidence-exploit
Apple’s full statement can be found below:
“Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.”
Click to expand...

Yet this was how the issue was identified. 🙄
 
I really like using the stock Mail app. I hope this gets fixed soon. Cuz I don’t like using the other mail apps.
 
Shame on Apple for not pushing a patch to fix a severe issue like this for more than three weeks. This is really not okay. I guess they have their hands full on contact tracing in 13.5, but what happened to 13.4.5? Why not push that update to fix multiple known vulnerabilities in iOS right now?
 
  • Disagree
  • Like
Reactions: I7guy and dk001
There may be more to this than you know and extended beta is warranted. Do you think Apple is purposefully holding back critical security fixes?

Was Microsoft holding back with this as well (just to show things can't be fixed on a dime)?

www.zdnet.com

Microsoft warns of Windows zero-day exploited in the wild

UPDATED: Hackers are exploiting a zero-day in the Adobe Type Manager Library (atmfd.dll) that ships with the Windows OS.
www.zdnet.com www.zdnet.com
 
Last edited:
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back