Apple’s oft-touted security credentials were tested by reports of a string of bugs in its iMessage app, some of which made it possible for attackers to steal data from iOS devices.

Security researchers at Google uncovered six major vulnerabilities, four of which would automatically execute malicious code when malformed messages were viewed in the app. The remaining two allowed attackers to remotely read and leak files stored on a user’s device.

Natalie Silvanovich, a member of Google’s Project Zero cybersecurity team who helped discover the flaws, described them on Twitter as “interactionless”, meaning the attacks could be carried out without additional action from users.

Apple patched five of the bugs in its recently issued iOS 12.4 update, but Silvanovich noted the sixth remained unresolved. She said the Project Zero team is withholding details about the vulnerability until it is fixed.

ZDNet estimated the six exploits could have sold for a total of up to $24 million on the black market.