Apple’s instant messaging service iMessage contains a major security flaw in the application. The bug, which is an out-of-bounds issue, was actually fixed by Apple in iOS 12.4. However, security researcher Natalie Silvanovich of Google Project Zero came across this flaw in iMessage despite it being patched.
According to Silvanovich, the issue stems from a class called ‘_NSDataFileBackedFuture’ in the application, which could allow access to read files on the iPhone.
Other bugs disclosed
Apart from CVE-2019-8646, Silvanovich also disclosed multiple bugs in the iMessage application. This includes a use-after-free issue (CVE-2019-8647), memory corruption bug (CVE-2019-8660) and another out-of-bounds read (CVE-2019-8624). However, all of these are fixed by Apple in iOS 12.4. As of now, the resurfaced out-of-bounds issue is yet to be resolved by Apple.