Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

New iOS Mail Bug Allows iCloud-Like Popups to Steal User Passwords

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
68,106
38,857


A new bug facing the iOS Mail app was found recently by security specialist Jan Soucek (via The Register). The malicious bug is capable of delivering false iCloud log-in prompts by allowing remote HTML content to be loaded through an email message delivered to the intended victim. The bug then delivers a convincing iCloud log-in box for users to re-enter their Apple ID and password. Soucek says that Apple did not respond to his discovery of the bug when he stumbled across it back in January.


"Back in January 2015 I stumbled upon a bug in iOS's mail client, resulting in HTML tag in e-mail messages not being ignored. This bug allows remote HTML content to be loaded, replacing the content of the original e-mail message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password "collector" using simple HTML and CSS."
Click to expand...
The bug isn't relegated to only iCloud phishing attacks, however, letting anyone with access to it customize the attack to ask for whichever username and password credentials they feel the need for. Soucek kept the details of the bug only between himself and Apple, letting the company have time to possibly fix the attack and inform him of its progress. Given the company's remaining quietness on the subject, he decided to publish the proof of concept - called the Mail.app inject kit - on GitHub in hopes of spreading its awareness.
"It was filed under Radar #19479280 back in January, but the fix was not delivered in any of the iOS updates following 8.1.2. Therefore I decided to publish the proof of concept code here."
Click to expand...
While Soucek's actions bring the malicious bug to more people's attentions and can help stop it in due time, it also means there's a wider chance for phishers to deploy it on their own. Until Apple comments on the story and offers a fix for the bug, it'll be safest to take precaution when any password prompt emerges while browsing email in iOS.

Article Link: New iOS Mail Bug Allows iCloud-Like Popups to Steal User Passwords
 
Article Link
https://www.macrumors.com/2015/06/10/new-ios-mail-bug-icloud-passwords/
Last edited:
As proof of concept this is great, but in actuality anyone with some brain and awareness about what he is doing would not fall for this.

When I open a mail, why would I acknowledge a popup about my iCloud login? Normally, it is a nuisance, and I would only waft it away and keep at the mail. This proof, if it works while we are in Settings app, or in App Store, then it is quite potent and dangerous. Because then I would fall for it, that okay f**in Apple asking for password again. But not in my mail. Not in Safari.
 
When I received these as far back as January, I've never entered the credentials being asked for within the pop-up prompt. I typically cancel and go to the requesting app or mail account and test it there to verify it directly bypassing the original prompt. Only because it seemed very Phishy to me at the time and of course still does.
 
I'm confused as to how this is a 'bug'.

All this is is a phishing scam sent via e-mail, like an e-mail pretending to be a notification from your Credit Card provider, or eBay, or PayPal. The only thing specific to iOS is that the developer has used HTML and CSS to create a form that vaguely matches the theme of an iOS modal.

E-mail has supported embedded forms for ages. This would work via Mail.app, or Gmail, or Outlook.... any e-mail client that renders HTML would allow you to enter data into the field and submit it.
 
  • Like
Reactions: bobr1952
I've been having issues with repeated requests to log into iCloud for a while so if this happened while I was in Mail, I wouldn't know if it were simply more of the same or a malicious one via Mail itself. You people on here being so smug talking smack about your wives being so dumb need to stop before you embarrass yourself. well, too late but I mean after you also fall for it. This is different than falling for a regular phishing email .
 
  • Like
Reactions: V.K., kalsta, friedmud and 8 others
nagromme said:
Will the fake dialog swipe/scroll when you scroll the email? If so, that's a quick check as a defensive stopgap for those who want to watch out for this. A real dialog would be stuck to the screen and not move when you scroll.
Click to expand...

Yes, exactly!

In the YouTube video the prompt shifts up when the keyboard appears; something that would not happen with a native iOS prompt.

This is a clever example of a phishing scam that mimics an OS environment rather than the stylings of a business e-mail (like the template your bank uses when communicating, or PayPal, or even an Apple receipt). That's it. It's clever and will probably work on a subset of users but it has nothing to do with the operating system.
 
rkieru said:
Yes, exactly!

In the YouTube video the prompt shifts up when the keyboard appears; something that would not happen with a native iOS prompt.

This is a clever example of a phishing scam that mimics an OS environment rather than the stylings of a business e-mail (like the template your bank uses when communicating, or PayPal, or even an Apple receipt). That's it. It's clever and will probably work on a subset of users but it has nothing to do with the operating system.
Click to expand...
Seems like email shouldn't be allowed to mimic OS environment.
 
rctlr said:
Theres no option in iOS mail to turn off html or Javascript is there?
Click to expand...

The article says javascript is disabled in mail, but all this form requires is HTML and CSS, which is not disabled.

My thoughts on this person... it seems fine to write about the vulnerability given how long Apple has taken to do anything about it, but releasing functioning code to exploit it seems like a bad idea. Now any script kitty can just copy and paste it and start scamming people.
 
  • Like
Reactions: 69Mustang
C DM said:
Seems like email shouldn't be allowed to mimic OS environment.
Click to expand...

That's not something Apple can control without removing features from Mail that exist in literally every modern e-mail client. Essentially what is happening here is Mail is rendering a website. It's a very small website and it's been designed to look like Apple's UI to trick you.

So here are Apple's options:

  • They could disable HTML / CSS completely, and push Mail back into the dark ages.
  • They could offer a toggle to disable HTML / CSS in Mail, which few people would use and would cause unexpected issues when a valid e-mail requires HTML / CSS to render.
  • They could disable specific HTML like FORMS, which would prevent this particular scam but again, cause unexpected issues when a valid e-mail has a valid form.
  • They could scan the email for specific html like FORMS and provide a notice/alert that the email might be attempting to steal passwords. This is probably the best scenario but even so it would scare users away from legitimate emails using forms (which granted, are very few)
But again... this e-mail would look the same and FUNCTION the same whether you viewed it on iOS, or OS X, or Windows, or via Safari or Chrome or Opera... whether you loaded the email from Mail.app or via iCloud or Gmail or Outlook or any other email client.

And any "fix" Apple takes on its end is really only a bandage. It wouldn't prevent this phishing email from functioning on other e-mail clients and any "fix" they offer has downsides as listed above.

It's not an exploit. It's not a bug. It's not something that can only affect iOS users outside that it vaguely looks like the iOS environment. It's not a "Meta tag issue" or the result of some faulty programming on the part of Apple's iOS development team.
 
  • Like
Reactions: Benjamin Frost and mrgraff
rkieru said:
I'm confused as to how this is a 'bug'.

All this is is a phishing scam sent via e-mail, like an e-mail pretending to be a notification from your Credit Card provider, or eBay, or PayPal. The only thing specific to iOS is that the developer has used HTML and CSS to create a form that vaguely matches the theme of an iOS modal.

E-mail has supported embedded forms for ages. This would work via Mail.app, or Gmail, or Outlook.... any e-mail client that renders HTML would allow you to enter data into the field and submit it.
Click to expand...
Because clickbait. That's why.
 
rkieru said:
That's not something Apple can control without removing features from Mail that exist in literally every modern e-mail client. Essentially what is happening here is Mail is rendering a website. It's a very small website and it's been designed to look like Apple's UI to trick you.

So here are Apple's options:

  • They could disable HTML / CSS completely, and push Mail back into the dark ages.
  • They could offer a toggle to disable HTML / CSS in Mail, which few people would use and would cause unexpected issues when a valid e-mail requires HTML / CSS to render.
  • They could disable specific HTML like FORMS, which would prevent this particular scam but again, cause unexpected issues when a valid e-mail has a valid form.
  • They could scan the email for specific html like FORMS and provide a notice/alert that the email might be attempting to steal passwords. This is probably the best scenario but even so it would scare users away from legitimate emails using forms (which granted, are very few)
But again... this e-mail would look the same and FUNCTION the same whether you viewed it on iOS, or OS X, or Windows, or via Safari or Chrome or Opera... whether you loaded the email from Mail.app or via iCloud or Gmail or Outlook or any other email client.

And any "fix" Apple takes on its end is really only a bandage. It wouldn't prevent this phishing email from functioning on other e-mail clients and any "fix" they offer has downsides as listed above.

It's not an exploit. It's not a bug. It's not something that can only affect iOS users outside that it vaguely looks like the iOS environment. It's not a "Meta tag issue" or the result of some faulty programming on the part of Apple's iOS development team.
Click to expand...

You haven't checked the link, have you? https://github.com/jansoucek/iOS-Mail.app-inject-kit
It is a meta tag issue, and your four bullets above wouldn't do anything to stop it. The email doesn't have a form, the email redirects the user to a webpage (within the mail client) that has a form. Big difference. And as the person has described, it doesn't work the same way in all mail clients, as others wouldn't follow the meta refresh.
Go read up, then come back and change your mind.
 
  • Like
Reactions: V.K.
rkieru said:
That's not something Apple can control without removing features from Mail that exist in literally every modern e-mail client. Essentially what is happening here is Mail is rendering a website. It's a very small website and it's been designed to look like Apple's UI to trick you.

So here are Apple's options:

  • They could disable HTML / CSS completely, and push Mail back into the dark ages.
  • They could offer a toggle to disable HTML / CSS in Mail, which few people would use and would cause unexpected issues when a valid e-mail requires HTML / CSS to render.
  • They could disable specific HTML like FORMS, which would prevent this particular scam but again, cause unexpected issues when a valid e-mail has a valid form.
  • They could scan the email for specific html like FORMS and provide a notice/alert that the email might be attempting to steal passwords. This is probably the best scenario but even so it would scare users away from legitimate emails using forms (which granted, are very few)
But again... this e-mail would look the same and FUNCTION the same whether you viewed it on iOS, or OS X, or Windows, or via Safari or Chrome or Opera... whether you loaded the email from Mail.app or via iCloud or Gmail or Outlook or any other email client.

And any "fix" Apple takes on its end is really only a bandage. It wouldn't prevent this phishing email from functioning on other e-mail clients and any "fix" they offer has downsides as listed above.

It's not an exploit. It's not a bug. It's not something that can only affect iOS users outside that it vaguely looks like the iOS environment. It's not a "Meta tag issue" or the result of some faulty programming on the part of Apple's iOS development team.
Click to expand...
Perhaps if Apple's own prompts to ask for iCloud passwords here and there weren't as common or secured in some way to clearly be unique to an actual valid system prompt then things of this nature wouldn't have as much potential of being abused.
Melle said:
You haven't checked the link, have you? https://github.com/jansoucek/iOS-Mail.app-inject-kit
It is a meta tag issue, and your four bullets above wouldn't do anything to stop it. The email doesn't have a form, the email redirects the user to a webpage (within the mail client) that has a form. Big difference. And as the person has described, it doesn't work the same way in all mail clients, as others wouldn't follow the meta refresh.
Go read up, then come back and change your mind.
Click to expand...
And then there's that.
 
  • Like
Reactions: friedmud, Benjamin Frost, 69Mustang and 1 other person
Checked this on my webmail, and gmail - neither trigger refresh - and so no form.
I agree it's not a bug, just an omission.
 
Last edited:
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back