Latest iOS Mail Bug Makes Stealing Your iCloud Password Easy As (Apple) Pie

Jan Souček, a security researcher from Prague, has uncovered a vulnerability in the security of the iOS Mail application that nefarious types can deploy against users of the app to gain access to their iCloud passwords.

  JanSou%C4%8DekiOSMailBug2

The method published by Souček illustrates how an email can be sent to the hapless victim that uses HTML code that mimics the iCloud login pop-up window upon receipt. Then, after said victim has inadvertently tapped their iCloud password into the window's Password field and clicked OK, an email is sent back to the sender with that critical information.

JanSou%C4%8DekiOSMailBug

Specifically, the app vulnerability lies at the feet of a bug in the Mail app that prevents the HTML tag in e-mail messages from being ignored. This allows remote HTML content to be loaded into an email, and thus replace the actual email message content. The bad guys can then employ a password collector using HTML and CSS (Souček built one himself), and voila...iCloud breach accomplished.

Souček came upon the Mail app bug in January and reported it to Apple, but the bug was not eradicated in the ensuring iOS 8.1.2 release, which is why he says he chose to publish his proof of concept code.

With a user's iCloud credentials in hand an avid troublemaker can access and download any and all data stored in the cracked account to a computer or another mobile device, without limitation.

Apple has, of course, been under significant fire over the breach of a large number of celebrity iCloud accounts last year, a security compromise that resulted in the public release of some very private (and quite NSFW) communications and photos between various members of the beautiful set and those with whom they would share their racier thoughts and selfies. Since that time the company has tightened up their iCloud defenses, by offering two-factor authentication and by sending notifications to users whenever a their account is accessed by an unknown device or their password is changed.

Via:  GitHub
Show comments blog comments powered by Disqus