iMessage security flaw could let attackers decrypt photos; fix coming in iOS 9.3

Apple has announced that a previously unknown vulnerability in iMessage — one that could allow a malicious party with the resources of a nation state to decrypt photos and videos sent through the services — will be fixed in iOS 9.3. The hole was discovered by researchers at Johns Hopkins, who informed Apple about the vulnerability. The researchers will also hold off detailing the issue until after iOS 9.3 is released to the public.

In a statement to The Washington Post, Apple thanked the Johns Hopkins team for its work:

"Apple works hard to make our software more secure with every release," the company said in a statement. "We appreciate the team of researchers that identified this bug and brought it to our attention so we could patch the vulnerability. . . . Security requires constant dedication and we're grateful to have a community of developers and researchers who help us stay ahead."

Matthew D. Green, who led the research team, started looking for a vulnerability in iMessage last year after coming to believe that Apple's encryption process might be weak. Though Green contacted Apple about potential issues, the company didn't respond or fix the problem. Green and his team demonstrated that photos and videos could be intercepted and decrypted, writing software to mimic an Apple server.

iOS 9.3, which contains a fix for the problem, is expected to be released as early as Monday, March 21.