A security researcher has highlighted an iOS bug that makes it easier for hackers to to steal iCloud passwords, reports Ars Technica.
The proof-of-concept attack was posted to GitHub earlier this week by user Jan Soucek, identifying a flaw in the Mail app in the latest version of iOS. The app contains dangerous code linked to incoming messages, allowing a hacker to remotely load HTML content that would replace the message in the original email.
In the researcher’s demonstration, it was shown how a criminals could use a few lines of code to insert a form in an email that is made to look identical to legitimate iCloud pop-ups. Should the recipient open the email and enter their details, the hacker can steal their iCloud credentials and use them for fraudulent purposes.
Although the fake iCloud pop-up appears within the browser, according to ZD Net it can be tweaked to display just once rather than each time the message is opened, reducing suspicion among recipients.
The vulnerability will be particularly worrying for iCloud users in the wake of a number of high-profile celebrity account hacks last year, leaking sensitive photos and videos online without permission. A computer linked to those attacks was recently traced and seized by the FBI, although no suspects have been charged.
As well as remaining cautious of incoming emails (particularly those that ask for iCloud passwords) iOS users can protect themselves against this kind of attack by turning on iCloud’s two-factor authentication. Macworld notes that an Apple spokesperson has also responded, saying that while they are not aware of anyone using this kind of malicious attack, the company is working on a fix for an upcoming software update.
Photo: Ellica / Shutterstock.com
by Kyle Ellison, ESET