In a proof-of-concept attack, a researcher has shown
how a security flaw within the iOS mail client can be easily exploited
to trick Apple users into handing over their iCloud passwords.
how a security flaw within the iOS mail client can be easily exploited
to trick Apple users into handing over their iCloud passwords.
The flaw,
which can be found in the default email program in the latest version of
iOS for iPhone or iPad, fails to strip out potentially malicious code
such as the < meta http-equiv=refresh > HTML tag in email
messages. This could allow a clever phisher to remotely load HTML,
replacing the original content of the email.
which can be found in the default email program in the latest version of
iOS for iPhone or iPad, fails to strip out potentially malicious code
such as the < meta http-equiv=refresh > HTML tag in email
messages. This could allow a clever phisher to remotely load HTML,
replacing the original content of the email.
The
researcher who discovered the bug showed how it could be exploited by
downloading a form from a remote server that looks exactly like a legit
iCloud log-in prompt. If such an email was opened and a victim input his
or her password, a hacker could easily steal the details.
researcher who discovered the bug showed how it could be exploited by
downloading a form from a remote server that looks exactly like a legit
iCloud log-in prompt. If such an email was opened and a victim input his
or her password, a hacker could easily steal the details.
Here’s a video demonstration:
Apple’s OS
has a tendency to randomly display iCloud login prompts anyway, and the
exploit can be programmed to ask for a password only once, so as not to
arouse suspicion. So, it’s not terribly difficult to imagine a slew of
unsuspecting Apple users getting caught in this sort of phishing scheme.
has a tendency to randomly display iCloud login prompts anyway, and the
exploit can be programmed to ask for a password only once, so as not to
arouse suspicion. So, it’s not terribly difficult to imagine a slew of
unsuspecting Apple users getting caught in this sort of phishing scheme.
The
security researcher says he first reported the flaw to Apple back in
January. Six months and no sign of a fix later, he decided to publish
his exploit online. The strategy seems to be paying off: several days
ago, Apple officials told Ars Technica that the company is now working on a fix for an upcoming software update.
security researcher says he first reported the flaw to Apple back in
January. Six months and no sign of a fix later, he decided to publish
his exploit online. The strategy seems to be paying off: several days
ago, Apple officials told Ars Technica that the company is now working on a fix for an upcoming software update.
In the meanwhile, if you’re an Apple user who hasn’t activated two-step verification, this would be a great time to do so.