iOS security researchers Jan Souček has discovered a new bug in iOS’s mail client that could trick users into accidentally giving attackers their AppleID and password.
The Mail app exploit was discovered at the beginning of 2015, and Apple’s engineers were quickly notified of its existence, but a fix for the bug hasn’t been released in any of the updates following iOS 8.1.2. According to Souček, the bug allows remote HTML content to be loaded, making it possible to build a password collector that looks just like an iCloud sign-in prompt.
Here’s a video of the bug in action:
In a GitHub repo detailing his discovery, Souček says the bug was filed under Radar #19479280 back in January. Soucek used the exploit to create a tool capable of generating iCloud password phishing emails, but it could be customized by phishers to pilfer passwords from other services as well.
We reached out to Apple for comment on whether or not a fix is in the works, but haven’t received a comment at this time.
Source: TheRegister
Buster Hein is a freelance writer who lives in Phoenix, Arizona. Twitter: @bst3r.
5 responses to “iOS mail exploit might let phishers snatch your Apple ID credentials”
Correct me if I am wrong, but this is not a bug but merely a function of ALL modern email viewers that allow the viewing of remote content. Apple at least gives us the option to turn off “Load remote content in messages” in Mail preferences. Smart users will be sure to disallow automatic loading of such remote content by setting their preferences accordingly.
Yet another “bug” report that really isn’t a “bug” … great job CoM. NOT. Just turn off “Load remote content in messages” problem solved.
Click-bait, fear-mongering non-news. (yawn)
I would first water board these so called security experts.
I had something similar without the email confirmation happened to me on yahoo. Should I change my password?