Apple just admitted Messages app had a major security flaw
What's the story
Apple has confirmed a major security flaw in the Messages app for iPhones, which was exploited to spy on journalists in Europe. The vulnerability was discovered by researchers at Citizen Lab and was used in targeted attacks against journalists and human rights activists. It involved sending a malicious photo or video via an iCloud link in the Messages app, which could exploit a logic flaw and install spyware on the victim's device.
Spyware
Attackers used Graphite spyware developed by Paragon
The Citizen Lab researchers discovered that the flaw was exploited using a spyware tool called "Graphite," developed by a mercenary surveillance firm, Paragon. This spyware has been used in attacks against journalists and human rights defenders on various platforms. The Citizen Lab's report revealed that one of their devices was compromised with Paragon's Graphite spyware while running iOS 18.2.1 in January and early February 2025.
Patch details
Apple acknowledged the issue after findings were made public
Apple has confirmed that the flaw was exploited in "extremely sophisticated attacks" against specific individuals. The company had quietly patched the issue in the iOS 18.3.1 update released earlier this year, but only acknowledged it after Citizen Lab's findings were made public. The delay in disclosure remains unexplained by Apple, which has sparked concerns over targeted surveillance with spyware, particularly against journalists and civil society figures.