There’s a security vulnerability in Apple’s(AAPL) encrypted messaging app, iMessage, that could let attackers steal photos and videos being sent between users.
That’s according to researchers from Johns Hopkins University, whose findings have been reported in the Washington Post.
The attack they formulated will work on iMessage running off iPhones and iPads that haven’t been updated to the latest version of the iOS operating system, version 9.3. However, an attacker with nation-state resources could adapt the exploit to hit up-to-date devices as well, the researchers said.
Get Data Sheet, Fortune’s technology newsletter.
Apple will only release a full fix for the vulnerability on Monday, so the researchers are holding back on releasing key details for now.
Details, blog post, paper, etc to come after Apple ships the patch.
— Ian Miers (@secparam) March 21, 2016
“We appreciate the team of researchers that identified this bug and brought it to our attention so we could patch the vulnerability,” Apple said in a statement quoted by the Post.
According to the piece, the researchers “wrote software to mimic an Apple server” and set about methodically guessing the encryption key that protected a certain photo being transmitted.
Usually this would be an extremely difficult task with a 64-digit key, but the system apparently let them know every time they had correctly guessed a digit, drastically reducing the amount of effort needed to test out different combinations.
For more on the Apple-FBI debate, watch:
Although this kind of encryption is not directly relevant to the celebrated Apple-FBI spat over the San Bernardino shooter’s phone — which is about bypassing the phone’s login locks — the Johns Hopkins researchers have used their work to point out that investigators can exploit existing flaws rather than requiring complicity from tech firms.
“Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right,” said computer science professor Matthew Green. “So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.”
