iOS Mail Bug Could Be Used to Phish Passwords From Users

iOS Mail Bug Could Be Used to Phish Passwords From Users

Posted by · 7459 views · Translate

Jan Soucek has discovered a new bug in the iOS mail app that could load remote HTML code replacing the original content of the message.

Back in January 2015 I stumbled upon a bug in iOS's mail client, resulting in HTML tag in e-mail messages not being ignored. This bug allows remote HTML content to be loaded, replacing the content of the original e-mail message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password "collector" using simple HTML and CSS.

The bug could be used to create fake iCloud-like login forms that would capture passwords and more --right within the iOS Mail app. Soucek says he notified Apple of this bug back in January 2015, but the company never issued a fix -- so he published a proof of concept to put pressure on Apple to fix the bug.

While Soucek uses an iCloud-login form to demonstrate the bug, almost any website could be imitated, making it possible to steal credit cards, passwords, social security numbers, and more.

No word on which iOS versions are impacted by the bug, but please by wary of any pop login forms that appear with the iOS Mail App.

Read More

Marcy Leavitt - June 11, 2015 at 6:38am
I get pop up mail logins frequently asking me to verify my yahoo login password. Should I worry? Changing my password is probably the best option now. I use iOS 8.3 and iPhone 6 plus.
FPM - June 10, 2015 at 4:34pm
What they also need to fix is how I get multiple of the same messages from iClarified the more a new comment is added to the article. Gmail is the only reason I use this to confirm my comment.
James - June 10, 2015 at 4:32pm
I got this pop up last night on my Mac mini. It had my user name filled in and asked for my password for iCloud login and asked me to put it in 2 times. Not sure if it's the same thing? :/
! - June 10, 2015 at 6:33pm
No it's an issue with OS X. 10.10 logging out and back in from System Preferences > iCloud.
Really - June 10, 2015 at 4:10pm
They also need to fix the glitch where if a photo sits in your recently deleted album for more than 30 days, it doesn't get hidden and actually gets deleted instead. Like if you manually set the date back a couple months or more, you'll see photos reappear in the recently deleted album