A new bug facing the iOS Mail app was found recently by security specialist Jan Soucek (via The Register). The malicious bug is capable of delivering false iCloud log-in prompts by allowing remote HTML content to be loaded through an email message delivered to the intended victim. The bug then delivers a convincing iCloud log-in box for users to re-enter their Apple ID and password. Soucek says that Apple did not respond to his discovery of the bug when he stumbled across it back in January.


"Back in January 2015 I stumbled upon a bug in iOS's mail client, resulting in HTML tag in e-mail messages not being ignored. This bug allows remote HTML content to be loaded, replacing the content of the original e-mail message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password "collector" using simple HTML and CSS."

The bug isn't relegated to only iCloud phishing attacks, however, letting anyone with access to it customize the attack to ask for whichever username and password credentials they feel the need for. Soucek kept the details of the bug only between himself and Apple, letting the company have time to possibly fix the attack and inform him of its progress. Given the company's remaining quietness on the subject, he decided to publish the proof of concept - called the Mail.app inject kit - on GitHub in hopes of spreading its awareness.

"It was filed under Radar #19479280 back in January, but the fix was not delivered in any of the iOS updates following 8.1.2. Therefore I decided to publish the proof of concept code here."

While Soucek's actions bring the malicious bug to more people's attentions and can help stop it in due time, it also means there's a wider chance for phishers to deploy it on their own. Until Apple comments on the story and offers a fix for the bug, it'll be safest to take precaution when any password prompt emerges while browsing email in iOS.

Related Forum: iOS 8

Top Rated Comments

laurim Avatar
laurim
111 months ago
I've been having issues with repeated requests to log into iCloud for a while so if this happened while I was in Mail, I wouldn't know if it were simply more of the same or a malicious one via Mail itself. You people on here being so smug talking smack about your wives being so dumb need to stop before you embarrass yourself. well, too late but I mean after you also fall for it. This is different than falling for a regular phishing email .
Score: 11 Votes (Like | Disagree)
tigres Avatar
tigres
111 months ago
Splendid... My wife would fall for that.
Score: 6 Votes (Like | Disagree)
nagromme Avatar
nagromme
111 months ago
Will the fake dialog swipe/scroll when you scroll the email? If so, that's a quick check as a defensive stopgap for those who want to watch out for this. A real dialog would be stuck to the screen and not move when you scroll.
Score: 6 Votes (Like | Disagree)
avanpelt Avatar
avanpelt
111 months ago
Turn two factor authentication or app-specific passwords on (or both) and this will not be a problem. Though obviously it is something that Apple needs to fix.
Score: 5 Votes (Like | Disagree)
C DM Avatar
C DM
111 months ago
That's not something Apple can control without removing features from Mail that exist in literally every modern e-mail client. Essentially what is happening here is Mail is rendering a website. It's a very small website and it's been designed to look like Apple's UI to trick you.

So here are Apple's options:


* They could disable HTML / CSS completely, and push Mail back into the dark ages.
* They could offer a toggle to disable HTML / CSS in Mail, which few people would use and would cause unexpected issues when a valid e-mail requires HTML / CSS to render.
* They could disable specific HTML like FORMS, which would prevent this particular scam but again, cause unexpected issues when a valid e-mail has a valid form.
* They could scan the email for specific html like FORMS and provide a notice/alert that the email might be attempting to steal passwords. This is probably the best scenario but even so it would scare users away from legitimate emails using forms (which granted, are very few)

But again... this e-mail would look the same and FUNCTION the same whether you viewed it on iOS, or OS X, or Windows, or via Safari or Chrome or Opera... whether you loaded the email from Mail.app or via iCloud or Gmail or Outlook or any other email client.

And any "fix" Apple takes on its end is really only a bandage. It wouldn't prevent this phishing email from functioning on other e-mail clients and any "fix" they offer has downsides as listed above.

It's not an exploit. It's not a bug. It's not something that can only affect iOS users outside that it vaguely looks like the iOS environment. It's not a "Meta tag issue" or the result of some faulty programming on the part of Apple's iOS development team.
Perhaps if Apple's own prompts to ask for iCloud passwords here and there weren't as common or secured in some way to clearly be unique to an actual valid system prompt then things of this nature wouldn't have as much potential of being abused.
You haven't checked the link, have you? https://github.com/jansoucek/iOS-Mail.app-inject-kit
It is a meta tag issue, and your four bullets above wouldn't do anything to stop it. The email doesn't have a form, the email redirects the user to a webpage (within the mail client) that has a form. Big difference. And as the person has described, it doesn't work the same way in all mail clients, as others wouldn't follow the meta refresh.
Go read up, then come back and change your mind.
And then there's that.
Score: 4 Votes (Like | Disagree)
mw360 Avatar
mw360
111 months ago
Perhaps if Apple's own prompts to ask for iCloud passwords here and there weren't as common or secured in some way to clearly be unique to an actual valid system prompt then things of this nature wouldn't have as much potential of being abused.
I posted a good while ago about exactly this problem. Of my four iCloud enabled devices I must get at least one spurious iCloud password prompt per day (although some periods are worse than others). It seems to be either iMessage and its eternal struggle to get a ****ing grip, or FaceTime, or some other cluster that's gone off behind the scenes. And these prompts are rarely related to me actually trying to so something iCloud related. Just turn on the iPhone, and 'enter your iCloud password'. Apple don't even say why, just training us, like good little dupes, to hand it over whenever some plain white box asks for it.
Score: 3 Votes (Like | Disagree)
Read All Comments

Popular Stories

iOS 17

iOS 17.2 Will Add These 12 New Features to Your iPhone

Friday December 1, 2023 12:19 pm PST by
iOS 17.2 has been in beta testing for over a month, and it should be released to all users in a few more weeks. The software update includes many new features and changes for iPhones, including the dozen that we have highlighted below. iOS 17.2 is expected to be released to the public in mid-December. To learn about even more features coming in the update, check out our full list. Journal ...
Read Full Article
iOS 16 4 Web Push

Apple Confirms Governments Using Push Notifications to Surveil Users

Wednesday December 6, 2023 5:06 am PST by
Unidentified governments are surveilling smartphone users by tracking push notifications that move through Google's and Apple's servers, a US senator warned on Wednesday (via Reuters). In a letter to the Department of Justice, Senator Ron Wyden said foreign officials were demanding the data from the tech giants to track smartphones. The traffic flowing from apps that send push notifications...
Read Full Article135 comments
airpods pro 2 pink

Apple Releases New AirPods Pro 2 Firmware

Tuesday December 5, 2023 11:28 am PST by
Apple today released new firmware update for both the Lightning and USB-C versions of the AirPods Pro 2. The new firmware is version 6B34, up from the 6B32 firmware introduced in November. Apple does not provide details on what features might be included in the refreshed firmware beyond "bug fixes and other improvements," so it is unclear what's new in the update, but prior software releases ...
Read Full Article76 comments
Beyond iPhone 13 Better Blue

'All-Screen' iPhone Under-Display Camera Enters Development

Wednesday December 6, 2023 2:03 am PST by
Apple's Korean suppliers have begun developing smartphone under-display cameras (UDC), paving the way for the first iPhone with a true "all-screen" appearance. According to The Elec, LG Innotek has entered the preliminary development of the UDC, which sits under the display and does not result in a visible hole in the panel when the camera is not in use. A UDC differs from a typical front ...
Read Full Article104 comments
magsafe blue 2

iOS 17.2 Brings Qi2 Support to iPhone 13 and iPhone 14 Models

Tuesday December 5, 2023 11:04 am PST by
The iOS 17.2 update that Apple is set to release to the public in the near future will bring support for the next-generation Qi2 wireless charging standard to the iPhone 13 and iPhone 14 models. Qi2 was mentioned in the release notes for the RC version of the update that came out today. With the addition of support for the new standard, iPhone 13 and iPhone 14 models will work with Qi2...
Read Full Article32 comments
iphone se 4 modified flag edges

iPhone SE 4 May Reuse Existing iPhone 14 Battery

Wednesday December 6, 2023 1:17 pm PST by
Recently, MacRumors has received details on the battery currently being tested on the upcoming fourth-generation iPhone SE, and the information corroborates previous findings in relation to the device. The iPhone SE 4, known by its device identifier D59, is expected to use the exact same battery found in the base model iPhone 14. Partially assembled prototypes of the next iPhone SE have been ...
Read Full Article81 comments
airpods pro bulbs

Black Friday Prices Return for AirPods Pro 2 With USB-C, iPad, and More

Tuesday December 5, 2023 7:30 am PST by
Today we're tracking a collection of deals that are matching - or nearly matching - the same all-time low discounts we saw during Black Friday. This includes the AirPods Pro 2 with USB-C, 9th generation iPad, and M1 MacBook Air. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep the ...
Read Full Article4 comments
instagram messenger

Instagram and Facebook Messenger Chats to Disconnect This Month

Tuesday December 5, 2023 1:57 am PST by
Meta has revealed plans to end Instagram users' ability to chat with Facebook accounts later this month, rolling back a feature that it introduced over three years ago. In September 2020, Meta (then Facebook) announced it was merging its Facebook Messenger service with Instagram direct messaging, allowing Instagram users to chat with Facebook users and vice versa using the same platform....
Read Full Article28 comments