A $2 million iMessage vulnerability listed on the dark web may not be what the seller says it is, but it still serves as a reminder that iPhones are not impenetrable to hackers. According to an article published on X on April 15, Trust Wallet found solid evidence related to a high-risk zero-day vulnerability targeting iMessage users. Allegedly, the vulnerability does not require users to click on any link to access the iPhone.
As a precautionary measure, Trust Wallet advises iPhone users, especially high-value users, to turn off iMessage until Apple fixes the issue.
It's worth noting that, as TechCrunch highlighted, there is no definitive evidence of the existence of the vulnerability at this time. The alleged evidence comes from a dark web ad called "iMessage Exploit".
The product is advertised as an RCE (Remote Code Execution) that does not require the target to interact. Allegedly, it works on the latest version of iOS. CodeBreach Lab, the seller of the alleged vulnerability, offered $2 million in Bitcoin. As of now, no one has purchased the vulnerability.
While this threat is likely to be exaggerated, if not outright scams, it's still important to understand why these vulnerabilities are worth taking seriously.
It is widely believed that iPhones are not infected with malware, but this is not the case. While iPhones are rarely infected with malware, attackers can still exploit zero-day and zero-click vulnerabilities to infect users' devices. However, these types of attacks are often costly and difficult to implement due to the high level of sophistication required.