Google Project Zero researchers Natalie Silvanovich and Samuel Groß have discovered serious security flaws in Apple's iOS operating system that would have sold millions on the black market.

Interactionless Bugs

All six vulnerabilities are "interactionless," which means they can be executed on a remote device without requiring any direct interaction from the phone's user.

In four of these vulnerabilities, an attacker simply has to send a malicious code via iMessage and wait until the user opens the message. Two of the bugs allow the attacker to leak data from the phone's memory and read files off using a remote device without user interaction.

Five Of The Six Security Vulnerabilities Patched With iOS 12.4 Update

Five of the vulnerabilities were already patched with last week's iOS 12.4 update. Silvanovich and Groß have published the details of the patched bugs online. Silvanovich will discuss the details on some of the bugs and provide a demonstration of exploits in action at the Black Hat security conference, which will be held in Las Vegas next week.

"This presentation explores the remote, interaction-less attack surface of iOS," the abstract of the talk reads. "It discusses the potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage and Mail, and explains how to set up tooling to test these components."

Details about the unpatched bug will remain confidential until the issue is addressed by Apple.

Worth Well Over $5 Million On The Exploits Market

"Interactionless" bugs are so in demand for hackers, this type of security flaws would fetch a fortune on the black market.

Citing a price chart published by Zerodium, ZDNet said vulnerabilities like these are worth well over $1 million per piece on the exploit market.

Crowdfense, another exploit vendor, also said that the vulnerabilities could easily be valued between $2 million and $4 million each, which could bring in a total value of up to $24 million.