Apple announced a critical software update to fix a security vulnerability that allowed spyware to be sent to more than one million iPhone users.
The vulnerability in the iMessage system left user data at risk to hackers, Apple said in a statement. The company first revealed the vulnerability on Sunday, the day before Black Friday.
Users can download the updated iMessage software for free. The security update is not available for the Apple Watch.
iMessage is the messaging system that allows iPhone users to send and receive messages that are delivered even when the phones are locked.
The security flaw enabled the owner of a targeted phone to send a message to the phone belonging to an Apple iPhone user they wanted to send the message to. The target phone would receive a “server-side communication” from the target iPhone and download the spyware in a process known as “man-in-the-middle” attack.
Apple said the vulnerability was “immediately fixed” when it was first disclosed. The company, however, added that users who downloaded an iMessage update before it was closed would not have their data compromised.
According to Security Explorations, the flaw was likely introduced in iOS 8.2. In addition to iMessage, the flaw allowed hackers to break into websites and other IoT systems by impersonating them as the administrators of the services, the firm said.
“According to one example cited by [Security Explorations], the phone was configured to view HTTP Private Socket Layer connections as ‘OpenSSL’, making the connections unusable unless the device is logged in,” the firm said.
The firm offered instructions on how to fix the vulnerability, which it said is more difficult to find and fix than the Gmail and Google Home exploits used to sabotage these two apps.