Here's a severe security case reported in this thread: https://www.v2ex.com/t/959041
Related app: https://apps.apple.com/cn/app/id1658240702
The thread above indicates that this app abuses the iOS WKWebView to do the following things:
1. Invisibly "trigger the iOS to prompt user for the access of appleid.apple.com". The email address of an AppleID will be exposed to the app if "iCloud+ hidden email address" is not enabled.
2. The app then pops up an HTML5-faked UIAlert window, prompting for the password of the Apple ID. Although its alert text looks fake to experienced users, it can still deceive a lot of users who have less patience to be sensitive in information security matters. // Note: A 3rd-party numeric keyboard extension won't be called out if it really is the iOS system prompt for Apple ID password.
3. The app abuses the stolen email, password, and the cookies to add unauthorized cellphone numbers to the 2FA trusted phone numbers list. According to the thread above, no 2FA notifications were poped-up during the operation.
4. The one who abuses this Apple ID then adds another person as a family-share member. This member is the one who perform unauthorized purchases.
According to the thread above, The victim's son-in-law reported this case to Apple China but got negative response again, again, and again. Seems like Apple China refuses to refund those unauthorized purchases.
Note: I tried this app but found that the red login button in the app won't trigger AppleID login prompts anymore. That button simply does nothing. I guess that this vulnerability might be dealt by the recent iOS Rapid Response update, probably.
Related app: https://apps.apple.com/cn/app/id1658240702
The thread above indicates that this app abuses the iOS WKWebView to do the following things:
1. Invisibly "trigger the iOS to prompt user for the access of appleid.apple.com". The email address of an AppleID will be exposed to the app if "iCloud+ hidden email address" is not enabled.
2. The app then pops up an HTML5-faked UIAlert window, prompting for the password of the Apple ID. Although its alert text looks fake to experienced users, it can still deceive a lot of users who have less patience to be sensitive in information security matters. // Note: A 3rd-party numeric keyboard extension won't be called out if it really is the iOS system prompt for Apple ID password.
3. The app abuses the stolen email, password, and the cookies to add unauthorized cellphone numbers to the 2FA trusted phone numbers list. According to the thread above, no 2FA notifications were poped-up during the operation.
4. The one who abuses this Apple ID then adds another person as a family-share member. This member is the one who perform unauthorized purchases.
According to the thread above, The victim's son-in-law reported this case to Apple China but got negative response again, again, and again. Seems like Apple China refuses to refund those unauthorized purchases.
Note: I tried this app but found that the red login button in the app won't trigger AppleID login prompts anymore. That button simply does nothing. I guess that this vulnerability might be dealt by the recent iOS Rapid Response update, probably.
