Reuters Pictures
Researchers at security firm FireEye reported uncovering the iPhone and iPad vulnerabilities in a threat advisory.
The first flaw, codenamed "Manifest Masque," affects users who install third-party apps from sources other than the official Apple Store - something Apple works pretty hard to stop you doing.
The second flaw, "Extension Masque," relates to the way iPhones and iPads protect apps from malware.
The combination of flaws can reportedly be exploited by hackers when the user installs a third-party app and grants attackers a variety of powers.
Greg Day, FireEye's CTO EMEA, told Business Insider these flaws include the ability to "kill, replace or tamper with apps" already installed on the iPhone or iPad and access personal data, such as call logs, contacts and GPS locations.
The hackers could also theoretically use them to install dangerous applications that hijack control of the victim iPhone or iPad, he added. The firm has yet to see any of these activities in the wild.
The third vulnerability, "Plugin Masque," relates to the way iPhones and iPads deal with Virtual Private Network (VPN) traffic. VPNs are custom security services designed to make it more difficult for hackers and government agents to monitor users' digital movements and communications.
The flaw could reportedly be exploited by attackers to hijack outgoing and incoming data, even if the VPN is turned on.
FireEye privately reported the bugs to Apple prior to publicly disclosing them and they have been fixed in Apple's latest iOS 8.4. However, FireEye claims that a third of iPhones and iPads are still vulnerable to the attack and "have not updated to versions 8.1.3 or above."
Apple did not respond to Business Insider's request for comment at the time of publishing.
The two new Masque bugs are the latest in a long line of iOS vulnerabilities to be uncovered by FireEye. FireEye reported uncovering a separate wave of iOS bugs in February.
The report follows the release of a wave of security updates for the OS X operating system used on Apple's popular MacBook range of laptops, some of which could also be used to hijack control of victim's machines.