November 22, 2024

iOS Mail Bug Could Be Used to Phish Passwords From Users

Posted June 10, 2015 at 4:02pm by iClarified · 8972 views
Jan Soucek has discovered a new bug in the iOS mail app that could load remote HTML code replacing the original content of the message.

Back in January 2015 I stumbled upon a bug in iOS's mail client, resulting in HTML tag in e-mail messages not being ignored. This bug allows remote HTML content to be loaded, replacing the content of the original e-mail message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password "collector" using simple HTML and CSS.

The bug could be used to create fake iCloud-like login forms that would capture passwords and more --right within the iOS Mail app. Soucek says he notified Apple of this bug back in January 2015, but the company never issued a fix -- so he published a proof of concept to put pressure on Apple to fix the bug.

While Soucek uses an iCloud-login form to demonstrate the bug, almost any website could be imitated, making it possible to steal credit cards, passwords, social security numbers, and more.

No word on which iOS versions are impacted by the bug, but please by wary of any pop login forms that appear with the iOS Mail App.

Read More