Google's secretive and elite team of security researchers have discovered six devastating flaws in Apple's iMessage app, one of which they claim the company has not fixed.

Project Zero is Google's security research department which hunts so-called "zero day" vulnerabilities, named because the software creator has had "zero days" to fix it.

These new vulnerabilities are the most precious and harmful tools for hackers and are hoarded by intelligence agencies and criminals alike for offensive purposes, while others attempt to find them to fix them.

Image: Google researchers discovered the flaws

Five of the critical bugs which the team found in Apple's instant messaging service iMessage have now been fixed.

One of the flaws impacted both Macs and iPhones, but would cause iPhones to crash and become unusable even after being reset.


Researcher Natalie Silvanovich said: "The only way I could find to fix the phone is to reboot into recovery mode and do a restore. This causes the data on the device to be lost though."

Another of the flaws could allow an attacker to remotely access an Apple device and copy files off it without the owner even having to respond to a security prompt.

Often cyber attacks require some kind of user input to succeed, whether the user clicks "allow" or "yes" on a pop-up, or follows a link, or downloads and executes a malicious file in a phishing email under the impression that it is innocent.

However, this bug allowed what is known as a "no-click" attack, meaning there is no user input needed at all - the hackers could just exploit iMessage with a special command and gain access to the target's files.

These bugs were addressed in the iOS 12.4 release, and Apple recommends keeping the operating system as up to date as possible.

We are withholding CVE-2019-8641 until its deadline because the fix in the advisory did not resolve the vulnerability — Natalie Silvanovich (@natashenka) July 29, 2019

But another of the bugs was not fixed in the most recent update, according to Ms Silvanovich, who said the researchers were witholding the vulnerability because Apple hadn't managed to fix it.

In a statement Apple said: "For the protection of our customers, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available.

"This document lists recent releases," the statement added, before stressing: "Keeping your software up to date is one of the most important things you can do to maintain your Apple product's security."