SAN FRANCISCO • Apple is planning to fix a flaw that a security firm said might have left more than half a billion iPhones vulnerable to hackers.

The bug, which also exists on iPads, was found by ZecOps, a San Francisco-based mobile security forensics company, while it was investigating a sophisticated cyber attack against a client that took place last year.

Mr Zuk Avraham, ZecOps' chief executive, said he found evidence the vulnerability was exploited in at least six cyber security break-ins.

An Apple spokesman acknowledged that a vulnerability exists in Apple's software for e-mail on iPhones and iPads, known as the Mail app, and that the company had developed a fix, which will be rolled out in a forthcoming update on millions of devices it has sold globally.

Apple did not comment on Mr Avraham's research, which was published on Wednesday, that suggests the flaw could be triggered from afar and that it had already been exploited by hackers against high-profile users.

Mr Avraham said he found evidence that a malicious program was taking advantage of the vulnerability in Apple's iOS mobile operating system as far back as January 2018. He could not determine who the hackers were and Reuters was unable to independently verify his claim.

To execute the hack, Mr Avraham said victims would be sent an apparently blank e-mail message through the Mail app forcing a crash and reset. The crash opened the door for hackers to steal data on the device, such as photos and contact details.

ZecOps claims the vulnerability allowed hackers to remotely steal data off iPhones even if they were running recent versions of iOS. The flaw itself could have given access to whatever the Mail app had access to, including confidential messages.

Mr Avraham, a former Israeli Defence Force security researcher, said he suspected that the hacking technique was part of a chain of malicious programs, the rest undiscovered, which could have given an attacker full remote access. Apple declined to comment.

The security expert based most of his conclusions on data from "crash reports", which are generated when programs fail in mid-task on a device. He then recreated a technique that caused the controlled crashes.

Two independent researchers who reviewed ZecOps' discovery found the evidence credible, but said they had not yet fully recreated its findings.

Mr Patrick Wardle, an Apple security expert and former researcher for the US National Security Agency, said the discovery "confirms what has always been somewhat of a rather badly kept secret: that well-resourced adversaries can remotely and silently infect fully patched iOS devices".

