iOS flaw tricks you into giving up your iCloud password (updated)
Successful hack attacks often happen not because of tricky coding, but plain old "social engineering" -- ie, conning people. A Github researcher called "jansoucek" has discovered an iOS exploit that works on that principal to steal people's iCloud passwords. The latest version of iOS, 8.3, apparently fails to filter out potentially dangerous HTML code embedded in incoming emails. The researcher's proof-of-concept code takes advantage of that by calling up a remote HTML form that looks identical to the iCloud log-in window. It could easily trick someone into entering their iCloud username and password, then hide the dialog after the user clicks "OK."
More sophisticated folks might be suspicious, since there are differences between a real iCloud log-in and the fake one. For instance, predictive keyboard mode doesn't turn off like it normally would, and the fake dialogue can be dismissed by hitting "home," unlike the real McCoy. Still, if you weren't thinking for a second or didn't realize those things, a baddie could nab your password and seize control without you realizing a thing. (Two-step authentication would save your bacon, of course.) Jansoucek said that he first reported the bug in January, but it has yet to be fixed, hence his decision to publish the proof-of-concept. We've reached out to Apple for comment.
Update: Apple has told us that it's working on a fix for the vulnerability and hasn't heard of any attacks that use it yet. It also re-iterated that two-step authentication will nip any danger in the bud, and that you might as well get used it it now, since it'll be an "integral" part of iOS 9.
We are not aware of any customers affected by this proof of concept, but are working on a fix for an upcoming software update.
