The flaw was first noticed by Ernst and Young forensic bod Jan Soucek. He has created a tool capable of generating slick iCloud password phishing emails he says exploits an unpatched bug.
He has even recorded a proof-of-concept video.
He made an iOS 8.3 Mail.app inject kit. It exploits a bug in the native email app and can produce a realistic pop-up. Soucek explained that he first told Apple about the bug in January, but that the company had not responded or fixed the problem.
Now he has opted for a more extreme approach. The complete kit is available on Github.
`Back in January 2015 I stumbled upon a bug in iOS's mail client, resulting in HTML tags in email messages not being ignored,` Soucek said.
`This bug allows remote HTML content to be loaded, replacing the content of the original email message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password 'collector' using simple HTML and CSS.
`It was filed under Radar #19479280 back in January, but the fix was not delivered in any of the iOS updates following 8.1.2.`
Hackers can now use the free tools to customize them and attack whichever iOS credentials they wanted. Unsuspecting Apple users would only get a security pop-up no different from the regular iCloud identification process.
Read original article
No comments:
Post a Comment