Skip to main content

Beware of iCloud login prompts: A new security flaw lets hackers steal your info

iPhone icloud
Shuttershock
Apple’s mobile operating system iOS has a reputation for being more secure than Android, but recently, it seems that more hackers are targeting iPhone and iPad users. A GitHub user by the name of Jansouceket discovered yet another iOS vulnerability back in January and reported it to Apple. The friendly hacker demonstrated how an attack code can be used in the Mail app to steal users’ iCloud logins and other sensitive information.

Apparently, ever since Apple released iOS 8.3 in early April, the Mail app has stopped removing potentially dangerous HTML code from the emails users receive. One tag instructs the Mail app to download and execute code remotely. The command then brings up a form box, which mimics the appearance of an iCloud log in request box. If the user logs in, the hacker can then steal his or her iCloud account user name and password. With these two pieces of information, the hacker can steal other personal information stored in iCloud.

Proof-of-concept: iOS 8.3 Mail.app attack

“This bug allows remote HTML content to be loaded, replacing the content of the original email message,” Jansoucek wrote. “JavaScript is disabled in this UIWebView, but it is still possible to build a functional password ‘collector’ using simple HTML and CSS [cascading style sheets].”

To make matters worse, the vulnerability places a tracking cookie in the Mail app, so that the code doesn’t execute the same command every time the infected email is opened in the app. That way, the user doesn’t get suspicious of the message or notice the link between that specific email and the iCloud login prompt. Additionally, the hacker can change the code at any time to access different information.

Luckily, there is a trick iOS users can employ to protect themselves from the hack. Although the malicious code does a pretty good imitation of the iCloud login box, it isn’t perfect. First off, the box asks for both your Apple ID and your password, while iCloud typically asks for only your password and already displays your user name. Secondly, the box isn’t modal, so the background doesn’t fade and the screen isn’t static when the prompt comes up. Additionally, keyboard suggestions remain activated, which is something that never happens when you receive an iCloud prompt on iOS.

Of course, these differences are subtle, and many won’t notice them. Apple has yet to respond, but hopefully the patch will come soon. Until then, the next time you see an iCloud login request, check for these telltale signs to ensure that you’re not being hacked.

Editors' Recommendations

Malarie Gokey
Former Digital Trends Contributor
As DT's Mobile Editor, Malarie runs the Mobile and Wearables sections, which cover smartphones, tablets, smartwatches, and…
iOS 17.3 will give your iPhone a much-needed security upgrade
A person holding the Apple iPhone 15 Plus and Apple iPhone 15 Pro Max.

Apple has started testing a new feature that will add an extra layer of protection to your iPhone, something that will also dissuade thieves from snatching your phone. The feature in question is called Stolen Device Protection, and it is currently rolling out with the developer build of iOS 17.3 for users. This comes just one day after iOS 17.2 started rolling out to the public.

“This new feature adds an additional layer of security in the unlikely case that someone has stolen your phone and also obtained your passcode,” says Apple. Once enabled, this feature sets three additional security walls on your iPhone, which are as follows:

Read more
iOS 17.2 just arrived — here’s what’s new in the big iPhone update
Apple Journal app on iPhone 15 Pro.

After two beta versions, Apple has just released iOS 17.2 to the general public. (And along with it, tvOS 17.2 for Apple TV.)  This update is a rather big one, as it finally brings Apple’s native Journal app, which was missing from the initial iOS 17 release earlier this year. On top of that, there are more big changes for Apple Music and elsewhere.

The biggest feature of the iOS 17.2 update is the new Journal app. This native app lets users record posts about their day, with the ability to add photos and video, audio clips, and even location data, all of which the user can reflect on at some point in the future. It’s another great step for helping with mental well-being, similar to the moods featured in Apple Health.

Read more
I tried the iPhone’s new Journal app. Here’s what’s good (and bad)
Apple Journal app on iPhone 15 Pro.

Apple's Journal app in iOS 17 is like a basic notetaking app supercharged with AI. It offers prompts and suggestions based on what you do throughout the day to help you journal your daily entries.

While the app is a basic white screen with a “+” icon, it's what happens after you tap on that icon that sets it apart from Notes or other journaling apps. I've been using the app for a little while now, and while it's not perfect, it is off to a really interesting start.
Using iOS 17's Journal app

Read more