Apple’s mobile operating system iOS has a reputation for being more secure than Android, but recently, it seems that more hackers are targeting iPhone and iPad users. A GitHub user by the name of Jansouceket discovered yet another iOS vulnerability back in January and reported it to Apple. The friendly hacker demonstrated how an attack code can be used in the Mail app to steal users’ iCloud logins and other sensitive information.
Apparently, ever since Apple released iOS 8.3 in early April, the Mail app has stopped removing potentially dangerous HTML code from the emails users receive. One tag instructs the Mail app to download and execute code remotely. The command then brings up a form box, which mimics the appearance of an iCloud log in request box. If the user logs in, the hacker can then steal his or her iCloud account user name and password. With these two pieces of information, the hacker can steal other personal information stored in iCloud.
“This bug allows remote HTML content to be loaded, replacing the content of the original email message,” Jansoucek wrote. “JavaScript is disabled in this UIWebView, but it is still possible to build a functional password ‘collector’ using simple HTML and CSS [cascading style sheets].”
To make matters worse, the vulnerability places a tracking cookie in the Mail app, so that the code doesn’t execute the same command every time the infected email is opened in the app. That way, the user doesn’t get suspicious of the message or notice the link between that specific email and the iCloud login prompt. Additionally, the hacker can change the code at any time to access different information.
Luckily, there is a trick iOS users can employ to protect themselves from the hack. Although the malicious code does a pretty good imitation of the iCloud login box, it isn’t perfect. First off, the box asks for both your Apple ID and your password, while iCloud typically asks for only your password and already displays your user name. Secondly, the box isn’t modal, so the background doesn’t fade and the screen isn’t static when the prompt comes up. Additionally, keyboard suggestions remain activated, which is something that never happens when you receive an iCloud prompt on iOS.
Of course, these differences are subtle, and many won’t notice them. Apple has yet to respond, but hopefully the patch will come soon. Until then, the next time you see an iCloud login request, check for these telltale signs to ensure that you’re not being hacked.
