Bug in iOS Mail app is a dream come true for phishers

A serious bug in the default Apple iOS Mail application can be easily exploited to show extremely realistic-looking pop-up prompts and trick users into sharing their Apple iCloud login credentials, security researcher Jan Soucek warns.

He discovered the flaw in January 2015, and notified Apple of it, but the company has yet to deliver a patch for it. Soucek decided to publish proof of concept code in order to force their hand.

The vulnerability lies in the fact that the app does not ignore the HTML tag in e-mail messages.

“This bug allows remote HTML content to be loaded, replacing the content of the original e-mail message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password “collector” using simple HTML and CSS,” Soucek explained on the GitHub page hosting his PoC iOS Mail.app inject kit.

He also published a video demonstrating the attack both on an iPad and on an iPhone:

Effectively, all an attacker needs to mount a successful attack is to send an email with the aforementioned HTML tag to the target, and a server that hosts the bogus login prompt.

The pop-up prompt looks pretty legitimate.

The code can be modified to show the victim’s email address in the username field. Also, the password field has autofocus enabled, so once a user clicks OK the dialog field is hidden.

The pop-up it will be shown only once, as the code uses cookies to detect that the victim has already visited the page and will prevent the message to be shown a second time.

Finally, as any Apple user knows, Apple’s OSes are known for displaying login prompts at random times, so seeing it while you open an email will not trigger suspicion with many users.

At the moment, users can protect themselves against this type of attack by declining to enter their password if they are asked to do so after having opened an email via the Mail app. Hopefully Apple will soon deliver a patch solving the issue for good.

Share this