While I agree that it is crappy of someone to put out fully functioning code... If there is something that could be done, 5-6 months is plenty of time for a company like Apple to fix it. It's not like they haven't updated iOS in that time frame.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
New iOS Mail Bug Allows iCloud-Like Popups to Steal User Passwords
- Thread starter MacRumors
- Start date
- Sort by reaction score
While I agree that it is crappy of someone to put out fully functioning code... If there is something that could be done, 5-6 months is plenty of time for a company like Apple to fix it. It's not like they haven't updated iOS in that time frame.
This user in particular is using a meta tag, but there really isn't a need for doing so. In theory (since Yosemite anyway) Mail.app can render forms inline, it was actually a feature Apple bragged about. Like I said, any modern e-mail client can render HTML forms within the e-mail client, natively. It's just bad practice because who the hell would trust a form sent via e-mail.
As for mimicking the iOS environment well... anyone with a working knowledge of HTML/CSS can do that. I put this together in less than 10 minutes: http://codepen.io/rkieru/full/ZGyOpG/
As for mimicking the iOS environment well... anyone with a working knowledge of HTML/CSS can do that. I put this together in less than 10 minutes: http://codepen.io/rkieru/full/ZGyOpG/
Again, you chose not to read the whole page. He explicitly explains why he didn't use an inline form to show the exploit. https://github.com/jansoucek/iOS-Mail.app-inject-kit/issues/1
*Way too much smuggness around here.*
This is a UNIX world right? Or was.
Apple needs to give us a plain-text email option like any good UNIX client.
There will be users who fall for this and this wouldn't be newsworthy if Apple had included a plain-text email option out of the box.
This is a UNIX world right? Or was.
Apple needs to give us a plain-text email option like any good UNIX client.
There will be users who fall for this and this wouldn't be newsworthy if Apple had included a plain-text email option out of the box.
I thought there already was a toggle: "Load remote content". I have that turned off by default.
I think the setting is "Load remote images". Not quite the same though as plain-text only.
I believe a plain-text email option in Settings, similar to the "Load remote images" option would help prevent this because the HTML multipart/alternative MIME part would be ignored client-side.
To be on the safe side I would close the mail app and re-enter your password in iCloud settings. Also have 2-step authentication so ppl can't get into your account even with your password.
Looking history of iOS exploits and Apple reaction to it - without publishing out in the wild, no reaction will be taken from Apple side. Remember iCloud "hacking" issue, whereas was exploit which could bruteforce? It was reported long time ago and Apple didn't manage to fix it in time....
5-6 months to fix security issue is not acceptable for such company, which stating that iOS is the most secured operating system... 3-4 weeks maximum for security issues.
Even talking about arabic symbols bug, it takes too much time to get fixed.
The message crash bug.... ugh... With differential OTA updates that would be a tiny update to fix it. No excuse for that one to still be around.
No, it's actually "Load Remote Content" which I assume means more than images.
While not a good bug at all, and should be addressed sooner than later, it doesn't seem to be an exploit, which puts it in a somewhat different category than actual security issues.
Messaging is part of the basic functions of phones these days, no? Something that crashes a basic function is a pretty damn big deal.
It can be a big deal (although it doesn't appear to be as much of one, or as big as something can really be), but it's still not a security exploit, which is just by its nature in a somewhat separate category.
Separate category, yes. Not important and not worth a fast fix? No. It is a basic function. Basic function means it should work... without crashing. Apple has no excuse for not fixing it in short order given their resources and claims about iOS.
To give Apple a pass on this because it "isn't security related" is pretty short sighted.
Well, I certainly didn't say that, and in fact said pretty much the opposite of that.
I set up two-step authentication for iCloud long ago, logging into my iCloud account isn't possible without that second verification step. Now would be a good time to set up two-step authentication for those who haven't done so.
Ok, I think you're referring to the OS X version of Mail.
Does anyone here know for sure what the iOS Load Remote Images does on the technical side? Specifically what MIME cases is it blocking?
I posted a good while ago about exactly this problem. Of my four iCloud enabled devices I must get at least one spurious iCloud password prompt per day (although some periods are worse than others). It seems to be either iMessage and its eternal struggle to get a ****ing grip, or FaceTime, or some other cluster that's gone off behind the scenes. And these prompts are rarely related to me actually trying to so something iCloud related. Just turn on the iPhone, and 'enter your iCloud password'. Apple don't even say why, just training us, like good little dupes, to hand it over whenever some plain white box asks for it.
Giving users a plain-text display option is the UNIX solution which would have allowed us to provide a valid fix to friends and the media. Proper email should always include some text/plain content anyways.
On the HTML side, why not disregard:
`<meta http-equiv="refresh" content="0">`
Ultimately, if a person were to fall for this, and they had 2 factor authentication enabled, wouldn't that defeat the attack? Ie. you'd be notified if anyone managed to phish you and use your credentials....or am I wrong?
Fortunately the text box looks little like anything Apple has sent me concerning login to iCloud. Every time I've gotten one of these the Apple ID portion is separate from the input box.
Fortunately the text box looks little like anything Apple has sent me concerning login to iCloud. Every time I've gotten one of these the Apple ID portion is separate from the input box.
You are correct. An attacker cannot even log into an iCloud account that is protected with two-step authentication. Go ahead and set up two-step auth on your account, then try to log in and see what happens
You are correct. An attacker cannot even log into an iCloud account that is protected with two-step authentication. Go ahead and set up two-step auth on your account, then try to log in and see what happens
The problem is, good InfoSec would require a password reset to be sure that an account is not compromised in some area. 2FA would save the day perhaps, but leads to other steps. A plain-text option would have worked quietly in the background.
You bring up a point worthy of further research. A stand-alone website would indeed benefit from a password reset, or even a single app, but how would that work on an account that affects more than one device/person? Resetting my iCloud password would affect several devices/computers (Macs, iPads, iPods, iPhones, ATV, etc) and 9 people.