iOS 8 Mail iPhone 6 screnshot 001

A serious bug in Apple’s stock Mail application for iPhone, iPod touch and iPad permits attackers to fool users into providing their iCloud credentials.

Such phishing attacks can be devastating as iCloud increasingly becomes home for our digital life in the Apple universe, including our photo libraries, notes, contacts and other personal data.

The scam takes advantage of an exploit in the Mail application that makes it easy to deliver convincing-looking pop-ups resembling iCloud password prompts through a simple email message, The Register reported Wednesday.

While such emails look like they’re coming from a real company, they’re spoofed and once an unsuspecting user opens them on their iPhone, iPod touch or iPad running iOS 8.3, the operating system will execute malicious HTML content embedded inside.

The exploit stems from the fact that Apple’s Mail application ignores a key line of code in incoming email which tells your iOS device to execute any embedded HTML code.

The malicious HTML code imitates an iOS form asking for your iCloud username and password. Naturally, it’s fake and should be dismissed immediately. Here is a short demonstration of a proof-of-concept attack on iOS 8.3’s Mail client.

Security researcher Jan Souček first discovered the flaw in January of this year.

“Back in January 2015 I stumbled upon a bug in iOS’s mail client, resulting in HTML tag in e-mail messages not being ignored,” he said.

“This bug allows remote HTML content to be loaded, replacing the content of the original email message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password ‘collector’ using simple HTML and CSS.”

It’s unclear why Apple has left this obvious vulnerability unpatched for nearly six months, but Januček was unimpressed.

Dissatisfied that the company hasn’t acted swiftly to patch the exploit, Souček decided to publish the code at GitHub in order to shore up social engineering awareness. The problem is, in doing so he’s potentially given power users the means to deliver phishing attacks upon unsuspecting owners of iOS devices.

People who don’t use the stock Mail app are not at risk of having their iCloud credentials hijacked with this attack method.

The best piece of advice I could give to anyone is this: you should avoid typing in your iCloud or Apple ID username and password into any app or dialog box at all cost, unless you’re absolutely sure the prompt came from the operating system itself.

In the case of this particular bug, ignore any such prompt that may surface as you’re using Apple Mail on your iPhone, iPod touch or iPad.

Source: The Register

  • Blip dude

    This hasn’t happened. But what has been happening on my iPhone is: I’ll be using the Facebook or Instagram app (or any other app), suddenly the app closes itself and iTunes Store app opens itself automatically. Nothing I did prompt such action. Yes, I am Jailbroken but no pirate repos/tweaks are used. Anywho, I saw a patch for this on Cydia earlier and installed it. I don’t think this is the case though. Sorry for the (slightly) off topic response.

    • Could you please share the patch name? I can’t find it anywhere.

      • Blip dude

        It’s on the Hashbang repo, same guys that brought us typestatus, so I’m sure they are legit.

      • Blip dude

        Sorry, not sure what happened but here is the pic again (Hashbang repo):

      • thanks a bunch we should try to spread this tweak!

    • bryan angel

      buddy try and use ios9 and than you will come to know how crashing feels like :-p i know its meant for developers but had to try and see how it was and its quiet ok hope the next beta betters the battery life and removes the crashes and offcourse NEW features.

      • Blip dude

        Huh?? What the hell does this have to do with crashing or iOS 9?? I think you commented on the wrong thread here. Also, my apps don’t crash at all, they close themselves and they continue to work in the background. Also, you kind of just explained why I shouldn’t install beta software period, so you kind of just cancelled your own point. How Did you think a beta 1 software was going be??

  • Mr_Coldharbour

    Ouch, glad I don’t use iCloud mail or iCloud altogether for that matter (never felt the need to). But I sure hope someone releases a patch on Cydia for those of us who are still jailbroken.

    • It’s not a bug with iCloud it’s a bug with the mail app:

      Back in January 2015 I stumbled upon a bug in iOS’s mail client, resulting in HTML tag in e-mail messages not being ignored. This bug allows remote HTML content to be loaded, replacing the content of the original e-mail message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password “collector” using simple HTML and CSS.

      That’s taken from the Github page linked in the article. If you use the Mail app you’re potentially vulnerable no matter who your email provider is.

  • Nitsud

    im assuming a change of password would help as well?

  • 5723alex .

    Every time you connect an iOS device for charging and running iCloud backup, the system asks for your AppleID.

  • Bugs Bunnay

    Gun dang it. Too late. Rip me.

  • throttle clutch e brake

    it just like paypal. i received spoof emails masquerading as paypal saying the buyer paid in full, shipp now.. Full replica of what a paypal email should’ve looked like and all

    scary stuff

  • so this exploit only happens on 8.3?

    • Chris

      From what I’ve read, 8.2 as well.

  • M_thoroughbred

    Does this also happen in the Mac mail client as well?

  • Benedict

    Interesting to see that Apple is well informed about their own security problems and does nothing about it. Instead they are offending other companies and claim these are insecure. I don’t wanna know how many people get tricked by this exploit and enter their ID and password. Would be nice to have the system apps in the app store to be updated seperately like it’s done on Android instead of pushing a OS security update.

  • Is this related to why my iPhone used to ask me for my iCloud password NONSTOP? I had that issue back in the winter, until I finally updated when the last jailbreak came out. Either way I have since changed my password but man was that so annoying!

    • Mine do that a lot too sometimes. It’s weird. Never had my accounts hacked though.

  • neoamaru

    with the arrival of Outlook, all has changed, haven’t looked back ever since (^^)

  • Rene Wyatt

    Why sure It had been LOL. Their my estimation that if your in your adolescents or 20s there are greater things to complete or view late night. I also hate the Kardashian show and think people that watch that junk deserve and L. Im sorry basically hurt you or other people that watches these reveals but I think these shows are horrible and only an only minded fool might enjoy them on a regular schedule