iOS security researchers Jan Souček has discovered a new bug in iOS’s mail client that could trick users into accidentally giving attackers their AppleID and password.
The Mail app exploit was discovered at the beginning of 2015, and Apple’s engineers were quickly notified of its existence, but a fix for the bug hasn’t been released in any of the updates following iOS 8.1.2. According to Souček, the bug allows remote HTML content to be loaded, making it possible to build a password collector that looks just like an iCloud sign-in prompt.
Here’s a video of the bug in action:
In a GitHub repo detailing his discovery, Souček says the bug was filed under Radar #19479280 back in January. Soucek used the exploit to create a tool capable of generating iCloud password phishing emails, but it could be customized by phishers to pilfer passwords from other services as well.
We reached out to Apple for comment on whether or not a fix is in the works, but haven’t received a comment at this time.