A new bug facing the iOS Mail app was found recently by security specialist Jan Soucek (via The Register). The malicious bug is capable of delivering false iCloud log-in prompts by allowing remote HTML content to be loaded through an email message delivered to the intended victim. The bug then delivers a convincing iCloud log-in box for users to re-enter their Apple ID and password. Soucek says that Apple did not respond to his discovery of the bug when he stumbled across it back in January.


"Back in January 2015 I stumbled upon a bug in iOS's mail client, resulting in HTML tag in e-mail messages not being ignored. This bug allows remote HTML content to be loaded, replacing the content of the original e-mail message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password "collector" using simple HTML and CSS."

The bug isn't relegated to only iCloud phishing attacks, however, letting anyone with access to it customize the attack to ask for whichever username and password credentials they feel the need for. Soucek kept the details of the bug only between himself and Apple, letting the company have time to possibly fix the attack and inform him of its progress. Given the company's remaining quietness on the subject, he decided to publish the proof of concept - called the Mail.app inject kit - on GitHub in hopes of spreading its awareness.

"It was filed under Radar #19479280 back in January, but the fix was not delivered in any of the iOS updates following 8.1.2. Therefore I decided to publish the proof of concept code here."

While Soucek's actions bring the malicious bug to more people's attentions and can help stop it in due time, it also means there's a wider chance for phishers to deploy it on their own. Until Apple comments on the story and offers a fix for the bug, it'll be safest to take precaution when any password prompt emerges while browsing email in iOS.

Related Forum: iOS 8

Top Rated Comments

laurim Avatar
115 months ago
I've been having issues with repeated requests to log into iCloud for a while so if this happened while I was in Mail, I wouldn't know if it were simply more of the same or a malicious one via Mail itself. You people on here being so smug talking smack about your wives being so dumb need to stop before you embarrass yourself. well, too late but I mean after you also fall for it. This is different than falling for a regular phishing email .
Score: 11 Votes (Like | Disagree)
tigres Avatar
115 months ago
Splendid... My wife would fall for that.
Score: 6 Votes (Like | Disagree)
nagromme Avatar
115 months ago
Will the fake dialog swipe/scroll when you scroll the email? If so, that's a quick check as a defensive stopgap for those who want to watch out for this. A real dialog would be stuck to the screen and not move when you scroll.
Score: 6 Votes (Like | Disagree)
avanpelt Avatar
115 months ago
Turn two factor authentication or app-specific passwords on (or both) and this will not be a problem. Though obviously it is something that Apple needs to fix.
Score: 5 Votes (Like | Disagree)
C DM Avatar
115 months ago
That's not something Apple can control without removing features from Mail that exist in literally every modern e-mail client. Essentially what is happening here is Mail is rendering a website. It's a very small website and it's been designed to look like Apple's UI to trick you.

So here are Apple's options:


* They could disable HTML / CSS completely, and push Mail back into the dark ages.
* They could offer a toggle to disable HTML / CSS in Mail, which few people would use and would cause unexpected issues when a valid e-mail requires HTML / CSS to render.
* They could disable specific HTML like FORMS, which would prevent this particular scam but again, cause unexpected issues when a valid e-mail has a valid form.
* They could scan the email for specific html like FORMS and provide a notice/alert that the email might be attempting to steal passwords. This is probably the best scenario but even so it would scare users away from legitimate emails using forms (which granted, are very few)

But again... this e-mail would look the same and FUNCTION the same whether you viewed it on iOS, or OS X, or Windows, or via Safari or Chrome or Opera... whether you loaded the email from Mail.app or via iCloud or Gmail or Outlook or any other email client.

And any "fix" Apple takes on its end is really only a bandage. It wouldn't prevent this phishing email from functioning on other e-mail clients and any "fix" they offer has downsides as listed above.

It's not an exploit. It's not a bug. It's not something that can only affect iOS users outside that it vaguely looks like the iOS environment. It's not a "Meta tag issue" or the result of some faulty programming on the part of Apple's iOS development team.
Perhaps if Apple's own prompts to ask for iCloud passwords here and there weren't as common or secured in some way to clearly be unique to an actual valid system prompt then things of this nature wouldn't have as much potential of being abused.
You haven't checked the link, have you? https://github.com/jansoucek/iOS-Mail.app-inject-kit
It is a meta tag issue, and your four bullets above wouldn't do anything to stop it. The email doesn't have a form, the email redirects the user to a webpage (within the mail client) that has a form. Big difference. And as the person has described, it doesn't work the same way in all mail clients, as others wouldn't follow the meta refresh.
Go read up, then come back and change your mind.
And then there's that.
Score: 4 Votes (Like | Disagree)
mw360 Avatar
115 months ago
Perhaps if Apple's own prompts to ask for iCloud passwords here and there weren't as common or secured in some way to clearly be unique to an actual valid system prompt then things of this nature wouldn't have as much potential of being abused.
I posted a good while ago about exactly this problem. Of my four iCloud enabled devices I must get at least one spurious iCloud password prompt per day (although some periods are worse than others). It seems to be either iMessage and its eternal struggle to get a ****ing grip, or FaceTime, or some other cluster that's gone off behind the scenes. And these prompts are rarely related to me actually trying to so something iCloud related. Just turn on the iPhone, and 'enter your iCloud password'. Apple don't even say why, just training us, like good little dupes, to hand it over whenever some plain white box asks for it.
Score: 3 Votes (Like | Disagree)

Popular Stories

maxresdefault

Apple to Launch New iPad Pro and iPad Air Models in May

Thursday March 28, 2024 11:07 am PDT by
Apple will introduce new iPad Pro and iPad Air models in early May, according to Bloomberg's Mark Gurman. Gurman previously suggested the new iPads would come out in March, and then April, but the timeline has been pushed back once again. Subscribe to the MacRumors YouTube channel for more videos. Apple is working on updates to both the iPad Pro and iPad Air models. The iPad Pro models will...
General Apps Messages

Google Reveals When to Expect RCS Support on iPhone for Improved Texting With Android Users

Friday March 29, 2024 7:14 am PDT by
In November, Apple announced that the iPhone would support the cross-platform messaging standard RCS (Rich Communication Services) in the Messages app starting "later" in 2024, and Google has now revealed a more narrow timeframe. In a since-deleted section of the revamped Google Messages web page, spotted by 9to5Google, Google said that Apple would be adopting RCS on the iPhone in the "fall...
airtag new orange

Criminals in Montreal Using AirTags to Steal Vehicles

Friday March 29, 2024 12:50 pm PDT by
Thieves in Montreal, Canada have been using Apple's AirTags to facilitate vehicle theft, according to a report from Vermont news sites WCAX and NBC5 (via 9to5Mac). Police officers in Burlington, Vermont have issued a warning about AirTags for drivers who recently visited Canada. Two Burlington residents found Apple AirTags in their vehicles after returning from trips to Montreal, and these...
top stories 30mar2024

Top Stories: WWDC 2024 Announced, New iPads Delayed, and More

Saturday March 30, 2024 6:00 am PDT by
Apple's WWDC 2024 dates have been announced, giving us timing for the unveiling of the company's next round of major operating system updates and likely some other announcements. This week also saw some disappointing news on the iPad front, with update timing for the iPad Pro and iPad Air pushed back from previous rumors. We did hear some new tidbits about what might be coming in iOS 18 and...
iphone 16 cases sonny dickson 1

First iPhone 16 Cases Outline New Rear Vertical Camera Bump

Friday March 29, 2024 4:09 am PDT by
Photos of the first iPhone 16 cases have been shared online, offering another preview of the rumored new vertical rear camera arrangement on the standard iPhone 16 and iPhone 16 Plus. Image credit: Accessory leaker Sonny Dickson Over the last few months, Apple has been experimenting with different camera bump designs for the standard iPhone 16 models, all of which have featured a vertical ...
Apple iPhone 15 Pro spatial video capture lifestyle

$3 App Shoots Better Quality Spatial Video Than iPhone's Camera App

Friday March 29, 2024 4:48 am PDT by
A $3 third-party app can now record spatial video on iPhone 15 Pro models in a higher resolution than Apple's very own Camera app. Thanks to an update first spotted by UploadVR, Spatialify can now record spatial videos with HDR in 1080p at 60fps or in 4K at 30fps. In comparison, Apple's native Camera app is limited to recording spatial video in 1080p at 30fps. Shortly after Apple's Vision ...