Hacking and phishing are ever-evolving cat and mouse games. As soon as one attack method is quashed, another leaps to fill its place. A new type of phishing attack has been brought to attention and iOS users should take heed. This specific phishing attack launches a pop-up window when a user is checking his iOS mail. The pop-up appears to be genuine, asking to verify iCloud login information.
The security flaw was discovered by researcher Jan Soucek. The bug allows an attacker to remotely run HTML codes triggered when a user opens an email. In Soucek’s iteration, the code masquerades as a login prompt; by which, naive users give away their Apple ID passwords.
UPDATE: An Apple spokesperson has provided the following response: “We are not aware of any customers affected by this proof of concept, but are working on a fix for an upcoming software update.”
Check out the video below to see how the bug can be used as a phishing attack.
The most surprising aspect about this bug, is Apple’s lack of response to the security flaw. It turns out that Soucek first filed a bug report with Apple six months ago, back in iOS 8.1.1. In a striking move on Soucek’s part, he published the code to GitHub. This means that the code is publicly available for anyone to use. Hopefully, by alerting iOS users to the potential threat, this will put pressure on Apple to fix it by the next update.
Until Apple addresses the security flaw, you should stay away from any pop-ups that occur in iOS mail, no matter how authentic they appear to be. If anything genuinely needs to be verified, wait until after you’ve exited iOS Mail to input any sensitive information.
Source: 9to5 Mac