Apple's iOS again raises concerns related to security, as a flaw could allow hackers to collect user passwords with a simple email.
Just recently, Apple took the spotlight as the world buzzed about the infamous text message that causes iPhone meltdowns. The company acknowledged the issue and promised a fix, but now another threat could challenge iOS users.
Apple's operating system reportedly has an unfixed vulnerability that allows hackers to obtain user passwords with a simple email. The flaw lies in Apple's iOS Mail app.
As The Register first reported, the one to warn about this vulnerability was Jan Soucek, a consultant in forensic technology at professional services firm Ernst and Young.
The iOS Mail app flaw enables hackers to send an email that looks legitimate, like it's from a genuine company, but instead is used for phishing purposes. More specifically, the vulnerability is used to steal passwords through a realistic pop-up that wouldn't raise questions for iOS users as they already receive regular iCloud authentication requests.
"This bug allows remote HTML content to be loaded, replacing the content of the original email message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password 'collector' using simple HTML and CSS," Soucek explains.
Apple is reportedly aware of this vulnerability, as Soucek himself informed the company back in January, but received no answer in response. This means that Apple has known about this issue for several months now, yet it has taken no action so far. None of the iOS updates since 8.1.2 contained a fix for this flaw, so Soucek decided to take it to the next level.
The forensic technology consultant published his findings, complete with the proof-of-concept code, in an effort to make Apple take action.
According to Soucek, his HTTP-equivalent method is better than using a form directly within an HTML email, because it only loads on vulnerable iOS devices.
Opening a code-loaded email in Outlook or Gmail on the desktop and seeing the iOS-like dialog box asking for your Apple ID credentials would spark some suspicions, but since other mail clients ignore the redirect meta tag it would look like a normal email, Soucek points out. Targeting only iOS users of the app makes it more likely to go unnoticed and fulfill its purpose, he notes.
Apple has yet to issue a statement in regards to this iOS vulnerability, but the company should comment on the matter soon enough.