iOS Mail app hacked; spam email account installed

Discussion in 'iOS 11' started by Defthand, May 16, 2018.

  1. Defthand macrumors 6502a

    Joined:
    Sep 1, 2010
    #1
    Has anyone experienced the following? My partner's iPad Mail app was hacked. A spam email account, calling itself "Senior Discounts", was installed on her iPad's Mail app. The ability to sign out/delete the unwanted email account is disabled. Her only recourse was to reset the iPad to its factory settings and restore her apps and content manually. Below is a screen capture of the account info.

    I'm reporting the experience here since Apple's Support portal doesn't have a discoverable link to report such concerns. Nor would Apple's communities allow me to post the experience. (The latter concerns me. Within its "walled garden", Apple is censoring any unflattering experiences with its products.)

    IMG_4908.PNG
     
  2. chabig macrumors 601

    Joined:
    Sep 6, 2002
    #2
    Someone probably had physical control of the iPad and added that account. It could be prevented from being deleted by locking account settings in Settings > General > Restrictions. Have him/her more carefully control who uses the iPad, and consider settings your own restrictions on accounts.
     
  3. chrfr macrumors 604

    Joined:
    Jul 11, 2009
    #3
    The Mail app wasn't hacked. Your partner would have most likely gone to a website that had a download to install a configuration profile which set up this email account.
    If the device hadn't been wiped, you'd be able to find the configuration profile this way and remove it:
    Look in the settings app under General/Profiles & Device Management and you'll see a profile which should be deleted.
    See here for more information: https://discussions.apple.com/thread/7477021
     
  4. Defthand thread starter macrumors 6502a

    Joined:
    Sep 1, 2010
    #4
    That is the likely explanation.

    We wiped the device before your post. I don't see a Profiles & Device Management field within Settings>General. We found the offensive account within Settings>Accounts & Passwords. However, unlike her iCloud account, this one couldn't be signed out of or deleted. In that respect, the spam account is a hack.
     
  5. chrfr macrumors 604

    Joined:
    Jul 11, 2009
    #5
    You couldn't delete or modify the account because it was added via a configuration profile. In iOS, unless you have profiles installed, you won't see the option for profile settings, so once you wiped the device you'd no longer see anything there.
    The user would have had to manually approve the installation of the configuration profile in order for it to be installed. Of course, most users have no idea what a configuration profile is, and as such shouldn't blindly approve installations, but that's now how people think.
    Configuration profiles in iOS (or macOS) give the author of the profile very expansive and possibly destructive access to the device and data so installation of unknown profiles should always be denied.
     
  6. Defthand thread starter macrumors 6502a

    Joined:
    Sep 1, 2010
    #6
    Thank You for the lesson. What is the purpose of profiles, particularly multi ones?
     
  7. chrfr macrumors 604

    Joined:
    Jul 11, 2009
    #7
    They're typically used in corporate environments to configure items on devices, like wifi connections, email accounts, security requirements, and all sorts of settings on a device. Some ISPs like Comcast distribute a configuration profile to make it simpler to connect your device to their wifi networks.
     
  8. macduke macrumors G3

    macduke

    Joined:
    Jun 27, 2007
    Location:
    Central U.S.
    #8
    Didn't know this was a thing. Apple should give an extra warning or require signing of anything installed via Safari. Or just block installation of these profiles in Safari by default.
     
  9. C DM macrumors Sandy Bridge

    Joined:
    Oct 17, 2011
    #9
    Well, profiles do require user acceptance to be installed.
     
  10. macduke macrumors G3

    macduke

    Joined:
    Jun 27, 2007
    Location:
    Central U.S.
    #10
    Yeah, but as someone who has done a lot of UX work, something that can seriously cause problems like this shouldn't be a one tap to accept affair. Defaults matter and defaulting Safari to not accept these profiles (with the ability to override these settings when a device is provisioned for whatever edge-case scenario) means that over 99% of users won't ever have this happen to them, lowering the attack vector and making it unlikely that anyone would still continue to keep up with this exploit in the future which makes the <1% safer as well.
     
  11. campyguy macrumors 68040

    Joined:
    Mar 21, 2014
    Location:
    Portland / Seattle
    #11
    OP, what you're describing is nothing new. I run a small company with around 50 employees and most of them carry an iPhone and a cellular iPad. I keep up on the latest scams so my employees don't have to, I started seeing chatter like this on the interwebs around 2 years ago. The two employees that succumbed to exactly what you're describing had one setting in common - they brought their own device and added my company's credentials (I was on vacation at the time).

    Both employees had the "load remote images" setting enabled, which is against my company policy. Both of them insisted that they did not install or accept a profile, and I believed them as it was along the lines of what I was reading online at the time. Multiple times I've intercepted TIFF images with embedded code, going back 15 years. With my other employees who abide by my restrictions, I've never had an issue like the one you've described. Google "take over ipad email senior discounts" and you'll get an idea of how far back this bit goes...
     
  12. C DM macrumors Sandy Bridge

    Joined:
    Oct 17, 2011
    #12
    I could be recalling it wrong, but I think passcode is also required for installation (assuming the device uses one).
    --- Post Merged, May 16, 2018 ---
    I don't think there's any sort of automatic profile installation in iOS, especially via "load remote images" option in email.
     
  13. cmaier macrumors G4

    Joined:
    Jul 25, 2007
    Location:
    California
    #13
    It's not one click. You have to enter your PIN or authenticate, and you are told beforehand what the profile does.
     
  14. macduke macrumors G3

    macduke

    Joined:
    Jun 27, 2007
    Location:
    Central U.S.
    #14
    I can't remember either. I know I get a lot of carrier updates for T-Mobile and so maybe customers get confused and think it's something like that? Wonder if these people are spoofing carrier update messages by using misleading text.
     
  15. campyguy macrumors 68040

    Joined:
    Mar 21, 2014
    Location:
    Portland / Seattle
    #15
    There isn't that I'm aware of, agreed. It's a process of accepting, installing, rebooting - that much most of us know. Having coded a bit myself I know it's easy to wreak havoc, and none of us know iOS like Apple. And hackers...
     
  16. theshoehorn macrumors 6502

    Joined:
    Jul 6, 2010
    #16
    In fact, you may have to agree twice along with entering your PIN if I remember correctly...
     

Share This Page