Skip to main content

Citzen Lab Report: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild




 Last week, Citizen Lab discovered an actively exploited zero-click vulnerability while examining the device of an individual employed by a civil society organization based in Washington DC, which also operates internationally. This vulnerability was being utilized to deploy NSO Group's Pegasus mercenary spyware.


The Exploit Chain: BLASTPASS

Citezen lab dubbed this exploit chain BLASTPASS. It had the capability to compromise iPhones running the latest iOS version (16.6) without requiring any action from the victim. The exploit functioned through PassKit attachments that contained malicious images sent from an attacker's iMessage account to the victim.


Citezen lab said they have plan to release a more comprehensive analysis of the exploit chain in due course.


Disclosure to Apple & CVEs



Citizen Lab promptly shared our discoveries with Apple and provided assistance in their investigation. Subsequently, Apple issued two CVEs pertaining to this exploit chain (CVE-2023-41064 and CVE-2023-41061).


Update Apple Devices Immediately

We strongly advise everyone to promptly update their devices. For those who may face heightened risk due to their identities or activities, we recommend enabling Lockdown Mode. According to both our assessment and confirmation from Apple’s Security Engineering and Architecture team, Lockdown Mode effectively thwarts this specific attack.


We commend Apple for their swift investigative response and patch implementation, and we extend our appreciation to the victim and their organization for their cooperation and support.


Highly Targeted Civil Society: A Cybersecurity Early Warning System

This recent discovery underscores once again that civil society remains a prime target for exceptionally sophisticated exploits and mercenary spyware. Apple’s update will safeguard devices belonging to everyday users, corporations, and governments worldwide. The BLASTPASS revelation emphasizes the immense value, in terms of collective cybersecurity, in championing civil society organizations.

Popular posts from this blog

Safeguarding Internet Privacy: Supreme Court of Canada Upholds Protection of IP Addresses

In a recent ruling, the Supreme Court of Canada affirmed the significance of privacy rights concerning internet addresses. The court declared that police cannot simply obtain a suspect’s IP address without a court order, emphasizing the expectation of privacy that Canadian residents hold for such information. The court's decision stemmed from a case in 2017 involving Calgary police investigating fraudulent online activities at a liquor store. Initially, police demanded IP addresses from a credit card processor, which eventually led to obtaining subscriber information from Telus. This information was pivotal in making arrests and securing convictions in multiple offenses. Despite previous convictions, the accused contested the legality of obtaining IP addresses without proper authorization. The Supreme Court, in a 5-4 decision, asserted that IP addresses carry a reasonable expectation of privacy, necessitating judicial approval before access. The ruling emphasizes that obtaining jud

Signal Introduces Usernames for Encrypted Messaging: A Secure Way to Connect

Signal, the encrypted messaging service, is launching a new feature in the coming weeks: support for usernames. This beta feature allows users to establish unique usernames, enabling connections without divulging phone numbers. source: Signal Blog To create a username, navigate to your settings and select "Profile." Once you've chosen a unique username, generate a QR code or link to share with others. Recipients can connect by entering your username into the chat bar. Usernames can be changed at any time, though previous usernames may be claimed by others. Signal began testing usernames last fall. Unlike social media platforms, Signal usernames do not serve as logins or public handles. They offer a discreet means of communication without revealing personal phone numbers. While a phone number is required to register for Signal, sharing it is optional. Usernames remain private and do not appear on profiles or in chats unless shared explicitly. As Randall Sarafa, Signal'

Apple approves single letter name for twitter IOS app

In a series of noteworthy updates, Twitter, the popular social media platform, has officially rebranded itself to a single-letter name "X" on the App Store, marking a significant change in its visual identity. This move came after weeks of alterations to its social media handles, interface branding, and even web redirects, generating quite a buzz among its users and followers. Interestingly, Apple usually maintains a policy against allowing developers to name their apps with just a single character. However, it seems that Twitter's parent company, X Corp., led by the renowned entrepreneur Elon Musk, managed to secure an exception from Apple, granting them the unique opportunity to use "X" as the app's name. This exception was particularly significant, as the App Store Connect portal typically displays an error when developers attempt to use a single character as the app's name. In conjunction with the name change, Twitter also revamped its App Store tagl