iOS Mail Flaw Could Trick and Phish Your iCloud Credentials

A vulnerability in iOS has been uncovered in the HTML handling of the Mail app that when abused properly, could easily trick you into handing hackers your iCloud credentials.

The flaw isn’t an exploit that allows control over the device, but instead is a form of a Trojan horse that aims at phishing credentials, a tactic hackers use where they set up a phony login page that’s sole intention is stealing your username and password.

A Github researcher who operates under his alias, jansoucek or Jan Souček, reported the flaw to Apple back in January, posting a video on YouTube of his proof-of-concept at work, showcasing how he could easily steal anyone’s iCloud password through the mail app. Souček has confirmed that Apple’s security team has been well aware of the issue since January of this year.

“This bug allows remote HTML content to be loaded, replacing the content of the original email message,” Souček wrote on Github with an attached video of him debuting his attack. “JavaScript is disabled in this UIWebView, but it is still possible to build a functional password ‘collector’ using simple HTML and CSS.”

According to Souček, Apple’s latest iOS 8.3 fails to filter out potentially harmful HTML code embedded within emails. In the video above, he executes his proof-of-concept code, taking advantage of the flaw by displaying a remote HTML form that looks nearly identical to the iCloud login form. The nearly identical page could easily trick victim’s into entering their iCloud username and password.

However, the flaw isn’t at easy and ‘identical’ as it may sound, due to the fact that there are significant differences in the real iCloud login page from the phony one. For starters, your predictive keyboard mode won’t activate as it normally would and the login page can be dismissed by hitting the ‘home’ button, unlike Apple’s official login page which requires you to manually cancel the action before you can exit home. Another major difference would be your keyboard, on the bottom right it will say Go, as it normally would with an online form, not Apple’s official login.

If you find yourself victim to this attack, the only way to protect your iCloud account would be to use two-step verification. Meaning if a hacker tries to login your account with your stolen username and password, it will require the hacker to authenticate themselves twice to ensure their identity. This will hinder hackers ability at hijacking your iCloud account.

An Apple spokesperson said the company was “not aware of any customers affected by this proof of concept, but are working on a fix for an upcoming software update.”