Latest in Apple

Image credit:

iOS flaw tricks you into giving up your iCloud password (updated)

Steve Dent, @stevetdent
June 11, 2015
Share
Tweet
Share

Sponsored Links

Successful hack attacks often happen not because of tricky coding, but plain old "social engineering" -- ie, conning people. A Github researcher called "jansoucek" has discovered an iOS exploit that works on that principal to steal people's iCloud passwords. The latest version of iOS, 8.3, apparently fails to filter out potentially dangerous HTML code embedded in incoming emails. The researcher's proof-of-concept code takes advantage of that by calling up a remote HTML form that looks identical to the iCloud log-in window. It could easily trick someone into entering their iCloud username and password, then hide the dialog after the user clicks "OK."

More sophisticated folks might be suspicious, since there are differences between a real iCloud log-in and the fake one. For instance, predictive keyboard mode doesn't turn off like it normally would, and the fake dialogue can be dismissed by hitting "home," unlike the real McCoy. Still, if you weren't thinking for a second or didn't realize those things, a baddie could nab your password and seize control without you realizing a thing. (Two-step authentication would save your bacon, of course.) Jansoucek said that he first reported the bug in January, but it has yet to be fixed, hence his decision to publish the proof-of-concept. We've reached out to Apple for comment.

Update: Apple has told us that it's working on a fix for the vulnerability and hasn't heard of any attacks that use it yet. It also re-iterated that two-step authentication will nip any danger in the bud, and that you might as well get used it it now, since it'll be an "integral" part of iOS 9.

We are not aware of any customers affected by this proof of concept, but are working on a fix for an upcoming software update.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

Oppo put a 48MP camera and 5,000mAh battery into a budget phone

Oppo put a 48MP camera and 5,000mAh battery into a budget phone

View
Vizio's new 4K TVs start at $230

Vizio's new 4K TVs start at $230

View
The Morning After: OnePlus gets back to sub-$500 phones with the Nord

The Morning After: OnePlus gets back to sub-$500 phones with the Nord

View
'GTA V' brings transphobia to the next console generation

'GTA V' brings transphobia to the next console generation

View
Samsung may have leaked the Note 20 Ultra on its own website

Samsung may have leaked the Note 20 Ultra on its own website

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr