Apple Inc is planning to repair a flaw that a security company said might have leftover half a billion iPhones vulnerable to hackers.

The bug, which also exists on iPads, was detected by ZecOps, a San Francisco-based mobile security forensics firm, while it was exploring a complex cyberattack against a customer that happened in late 2019. Zuk Avraham, ZecOps’ chief executive, said he found evidence the vulnerability was exploited in at least six cybersecurity break-ins.

An Apple spokesman acknowledged a vulnerability Exists in Apple’s software for email on iPhones and iPads, referred to as the Mail app, which the firm had developed a fix, which will be rolled out in a forthcoming update on millions of devices it’s sold globally.

Apple declined to comment on Avraham’s research, which Was published on Wednesday, that indicates the flaw could be triggered from afar and that hackers had already exploited it from high-profile users.

Avraham said he found evidence A malicious software was taking advantage of this vulnerability in Apple’s iOS mobile operating system as far back as January 2018. He couldn’t ascertain who the hackers were Reuters was unable to verify his claim independently.

To do the hack, Avraham Said victims could be sent an apparently blank email message via the Mail app forcing a reset and crash. The wreck opened the door for hackers to steal additional data on the device, like photographs and contact details.

ZecOps asserts the vulnerability enabled hackers to Remotely steal off data iPhones even if they had been running recent versions of iOS. By itself, the defect could have given access to whatever the Mail app had access to, including confidential messages.

Avraham, A former Israeli Defense Force security researcher, said he suspected the hacking technique was part of a series of malicious applications, the remainder undiscovered, which might have given an attacker complete remote access. Apple declined to comment on such a prospect.

ZecOps discovered the Mail app hacking technique was used against a Customer last year. Avraham described the targeted customer as a”Fortune 500 North American tech firm,” but declined to name it. They also found evidence of associated attacks against workers of five other companies in Japan, Germany, Saudi Arabia, and Israel.

Avraham Based most of his decisions on information from”crash reports” that are created when programs fail in mid-task on a device. He was subsequently able to reestablish a technique that resulted in controlled crashes.

Two independent security researchers who examined ZecOps’ discovery discovered that the evidence is credible, but said they hadn’t yet completely recreated its findings.

Patrick Wardle, an Apple security expert and former Researcher to the U.S. National Security Agency, said the discovery”affirms what has always been somewhat of a somewhat badly kept secret: that well-resourced adversaries can remotely and silently infect completely patched iOS apparatus.”

Because Apple Wasn’t aware of the Software bug until recently, it could have been very beneficial to authorities and builders offering hacking services. Exploit programs that work without warning from an up-to-date telephone can be worth more than $1 million.

While Apple is largely viewed within the cybersecurity industry as Possessing a high standard for electronic security, any successful hacking technique against the iPhone could affect millions because of the device’s global recognition. In 2019, Apple said that there were approximately 900 million iPhones in active use.

Bill Marczak, a security researcher Citizen Lab, a Canada-based academic security research team, known as the vulnerability discovery”scary.”

“A lot of times, it is possible to take comfort in the fact that hacking is preventable,” said Marczak. “With this bug, it doesn’t matter if you’ve got a PhD in cybersecurity, this will eat your lunch.”