A serious security flaw in Apple's iMessage has allegedly been exposed after an iPhone spyware exploited "major" issues in the messaging app.
The spyware, called Pegasus and developed by Israeli surveillance company NSO, made "zero-click" attacks on iMessage vulnerabilities on the iPhone 12 Pro Max running iOS 14.6. This came from a report made by Amnesty International and the University of Toronto-based global security research group Citizen Lab, per Forbes.
This follows purported data leaks of 50,000 potential Pegasus targets, the report said.
iPhone iMessage Hack: iOS Running iMessage Data, Attachments Automatically Even to Strangers
Citizen Lab researcher Bill Marczak said in the Forbes interview that iOS would run data and attachments automatically within iMessage, even if the user is a stranger, which puts legitimate users at risk.
Marczak, a security expert who has dedicated years researching NSO's Pegasus hacks, recommended that Apple should implement a measure "similar to what Twitter or Facebook has been doing with their DMs."
Apple's iMessage on iPhones uses end-to-end encryption to send and receive messages, with only the sender and the receiver of the messages supposedly able to see its contents--including photos, videos and other attachments.
According to the Amnesty International-Citizen Lab report, hackers remotely accessed and replicated data from phones of 37 individuals, mostly journalists and reporters, using Pegasus, Business Insider noted.
Pegasus, a military-grade hacking service, is marketed to governments for intelligence purposes. Using the spyware, hackers could infect phones with the "zero-click" texts through iMessage. This means the target user need not interact with the text to have their phone hacked.
What's more alarming is that this breach could happen to the latest iPhones, even with the latest security patches installed.
iPhone Spyware: NSO Targets Journalists, Heads of State, Human Rights Activists
According to a BBC report, it is believed that Pegasus spyware has targeted individuals susceptible to government surveillance such as reporters and heads of state. Such journalists include Financial Times editor Roula Khalaf and murdered Mexican journalist Cecilio Pineda. The list also included people close to murdered Washington Post reporter Jamal Khashoggi, such as his wife Hanan Elatr and fiancee Hatice Cengiz, a Turkish researcher who accompanied Khashoggi to the Saudi consulate in Turkey when he was killed on October 2, 2018.
The BBC report further said that Pegasus had targeted Arab royals, 600 politicians and government officials, 64 business executives, 189 journalists, 85 human rights activists in a breach of 50,000 phones.
The NSO Group rebuked the findings, flatly denying the hacking allegations, Business Insider further reported.
NSO Denies Spying Allegations, Apple Affirms Security Leadership
The $1 billion surveillance company said in a statement the charges were "so outrageous and far from reality that the NSO is considering a defamation lawsuit."
In an Apple statement provided the Washington Post, the Cupetino, California-based tech giant defended its security features, saying that the company has long been an industry leader in security.
Ivan Krstic, head of Apple's Security and Engineering and Architecture, asserted that Apple condemns such cyberattacks against journalists, human rights activists and other prominent individuals. The attacks that was detailed in the Amnesty International-Citizen Lab report were "highly sophisticated" and should not pose a threat to an "overwhelming majority" of iPhone users.