iOS Flaw Could Allow Attackers to Steal iCloud Passwords and Sensitive Information

A developer going by the name Jansoucek on Github has posted details and code that would allow anyone to carry out an attack on users of the native iOS Mail app. The code exploits a vulnerability that Jansoucek says he discovered and notified Apple about in January this year, and which has remained unpatched despite there having been multiple new versions released since then.

As Ars Technica reports, the flaw relates to Mail.app not properly stripping HTML code from the bodies of emails as they are displayed. One tag in particular, , instructs Mail.app to download and execute remote code. This can be exploited in a number of ways, one of which is to download a form which could look like an iCloud password prompt. If a user believes it is genuine, he or she would wind up sending his or her credentials to the attacker.

The proof-of-concept hack is sophisticated in that it uses the fact that downloaded code will only be displayed in Mail.app and not in any other client. iOS users will be presented with a dialog box that closely mimics the standard Apple ID prompt, and specifically asks for iCloud credentials.

Further, the flaw allows a tracking cookie to be set which prevents the code from being executed each time the same message is opened, to alleviate suspicion. If needed, the attacker can alter the code later so that different messages are displayed in order to steal different kinds of information.

Commentators on Github and various news outlets have pointed out that it is possible for users to realise that the dialog is not a genuine Apple prompt: it is not truly modal, which means the background will not fade out and other elements on screen will remain active. The fake input box prompts the user to input an ID as well as password, whereas standard Apple ID checks display the username already and ask only for the password. The keyboard is automatically displayed for genuine prompts, whereas you have to tap the fake one and it will move upwards when the keyboard pops up. Third-party keyboards and autocorrect are disabled for password entry, but the fake dialog box will not trigger any of those behaviours.

However, these are all subtle cues and many users could still very easily fall for the fake password prompt. It should also be noted that the flaw can be used to steal all kinds of information, and that the dialog shown need not necessarily be styled as a part of the iOS interface. iPhone and iPad users should be warned, as the code to enable such a hack is now freely available online and others are bound to come up with variations of their own.