Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Developer Demonstrates iOS Phishing Attack That Uses Apple-Style Password Request

I wonder if this could be solved simply by Apple trusting its own technologies. For example, allowing Touch ID to be used all the time for app purchases -- including after reboot -- would eliminate the need for this pop-up for most people.

Another solution is what some financial websites do already: let people choose a picture that will show up when the real website (or, here, interface element) is accessed. If the custom-selected pic isn't there, people would know to be wary. I sort of hate those, but they do help avoid spoofing.
 
I never understood why Apple couldn’t ask me to go to iCloud settings to enter my password before continuing? I would feel a lot more secure if I had to do that because I know that only Apple would have access to iCloud settings within the settings app.
 
  • Like
Reactions: DCIFRTHS
rocknblogger said:
I never understood why Apple couldn’t ask me to go to iCloud settings to enter my password before continuing? I would feel a lot more secure if I had to do that because I know that only Apple would have access to iCloud settings within the settings app.
Click to expand...

We put too much trust in Apple
 
  • Like
Reactions: DCIFRTHS
This has happened to me. When it does I just double click and and close out safari. Then I shut my phone off. Yeah I’m paranoid.
 
Mr. Donahue said:
This has happened to me. When it does I just double click and and close out safari. Then I shut my phone off. Yeah I’m paranoid.
Click to expand...

Do you mean it was an app doing it to steal your info? Which app was it?

Or do you just mean you have been extra careful when the box appears? From now on I am going to do that with both Mac and iPhone. It's really bad when I think back over the past few months, having set up both a new MacBook and iPhone how many times I have just unthinkingly put my password in to whichever box appeared across four different devices!
 
It’s good that he reported it to Apple so they can fix in the next update. But he just had to brag about it so he can get that publicity. Now there are probably people digging through code to find it and exploit smh. Way to go.
 
ke-iron said:
It’s good that he reported it to Apple so they can fix in the next update. But he just had to brag about it so he can get that publicity. Now there are probably people digging through code to find it and exploit smh. Way to go.
Click to expand...
If you bothered reading the comments you would see it was reported years ago and never fixed.
 
macTW said:
A non-worry event with Apple vetting each app. But interesting it can happen nonetheless.
Click to expand...
Apple vets, yes. But do they test every single scenario of the app?

I like the trick with the homepage button described in the article
[doublepost=1507690743][/doublepost]
ke-iron said:
It’s good that he reported it to Apple so they can fix in the next update. But he just had to brag about it so he can get that publicity. Now there are probably people digging through code to find it and exploit smh. Way to go.
Click to expand...
It's his job. The best security experts are hackers and phishers.
 
HiRez said:
If you throw up a CALayer over your app you can pretty much draw anything you want in it (make it look like anything), and make it touch enabled.

TouchID seems like a good and maybe only way to prevent this (I guess FaceID on the X). But there's a problem with FaceID because you can only recognize 1 face per device. So for example if I want to set a bunch of stuff up on my wife's or mom's or kid's phone or do a software upgrade, they have to be physically present every time one of these dialogs pop up, and they pop up frequently. Using your passcode as a backup is also problematic because that could also be spoofed (another thing developers could steal) and is less secure than TouchID/FaceID.
Click to expand...
Yeah, or they could reserve part of the screen for system only. Might be easier with the iPhone X since the screen has "ears."
 
I've always felt the that ios popup that cant be just closed is a bad idea.
 
I'm not sure I understand the advice given:

As Krause says, users can protect themselves by being wary of these popup dialogues. If one pops up, press the Home button to close the app. If the popup goes away, it's tied to the app and is a phishing attack. If it remains, it's a system request from Apple.

AFAIK pressing the Home button merely makes the app go to the background, but does not closes the app - right?
 
GerritV said:
I'm not sure I understand the advice given:

As Krause says, users can protect themselves by being wary of these popup dialogues. If one pops up, press the Home button to close the app. If the popup goes away, it's tied to the app and is a phishing attack. If it remains, it's a system request from Apple.

AFAIK pressing the Home button merely makes the app go to the background, but does not closes the app - right?
Click to expand...
I think the idea is that if it's iOS that's generating the alert, it will stay up after the app closes. It the app put up the alert, it will stick to the app and go away when the app does.
 
BTW, this guy is being VERY deceitful.

An App can’t get access to your Apple ID. Yet in one of the example dialogs he shows his own Apple ID. This isn’t possible, and by doing so he’s implying an App could trick you by showing a dialog box with your real Apple ID.

Why would a “security researcher” intentionally create a dialog box he knows is impossible to do in real life?
 
I always tap cancel to these boxes regardless, unless I'm expecting it to appear based on what I'm doing. If it then becomes apparent that I need to login somewhere, I'll go to settings. For the legitimate cases, I don't know why it can't tell you *why* it wants me to login.
 
I know some people wouldn't want the "inconvenience", but I think two-factor authentication should be required for all accounts at this point and I think we're only one major incident away from Apple implementing it.
 
Really surprised how many people are calling this clever. I've been saying this for ages - Apple throwing up these iCloud password prompts completely at random throughout iOS and macOS has set users up for these trivially simple attacks. They should never have been doing that. I note on iOS the random popups now direct the user to the Settings app to sort out whatever has gone wrong. It's better but the damage is done now.
 
  • Like
Reactions: Demo Kit
ignatius345 said:
I think this one is on Apple. A user gets legitimately asked for his/her password enough times and fatigue sets in, and they stop really thinking about it.

Ultimately it's a UX problem that needs to be solved so that entering one's iCloud password is 1) hard to fake and 2) doesn't happen any more often than necessary.
Click to expand...
I agree - it's terrible UX design. IMO, the prompt should just be an alert with a button to open the settings app rather than a dialog where you can enter a password
 
  • Like
Reactions: ignatius345
I’m a power user but would definitely fall for this. The reason is that Apple asks for my stupid password at least once every week. So annoying that they don’t ask for my fingerprint.
 
  • Like
Reactions: PinkyMacGodess
MonkeyDavid said:
Apple needs to fix the bug(s) that ask for the password at random times (I also have one where occasionally the request pops up then disappears before I can type anything).
Click to expand...

This.
If you get used to type in your password every now and then when a popup appears, you're going to get fooled by a malicious app.
They ought to show something different that you tap and takes you to the settings app, so you only put your password there, not on a popup.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back