A serious bug in the default Apple iOS Mail application can be easily exploited to show extremely realistic-looking pop-up prompts and trick users into sharing their Apple iCloud login credentials, security researcher Jan Soucek warns.
He discovered the flaw in January 2015, and notified Apple of it, but the company has yet to deliver a patch for it. Soucek decided to publish proof of concept code in order to force their hand.
The vulnerability lies in the fact that the app does not ignore the HTML tag in e-mail messages.
He also published a video demonstrating the attack both on an iPad and on an iPhone:
Effectively, all an attacker needs to mount a successful attack is to send an email with the aforementioned HTML tag to the target, and a server that hosts the bogus login prompt.
The pop-up prompt looks pretty legitimate.
The code can be modified to show the victim’s email address in the username field. Also, the password field has autofocus enabled, so once a user clicks OK the dialog field is hidden.
Finally, as any Apple user knows, Apple’s OSes are known for displaying login prompts at random times, so seeing it while you open an email will not trigger suspicion with many users.
At the moment, users can protect themselves against this type of attack by declining to enter their password if they are asked to do so after having opened an email via the Mail app. Hopefully Apple will soon deliver a patch solving the issue for good.