Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

A Trojan horse to phish iCloud passwords lurks in an iOS Mail bug

Glenn Fleishman | June 15, 2015
When we get complacent, we get bad about security. The more we're prompted by something irritating that can be dismissed only by entering a password again, the more likely we are to not pay attention to what's asking. I speak, of course, of Apple's seemingly random and sometimes frequent iCloud login popup messages in iOS.

When we get complacent, we get bad about security. The more we're prompted by something irritating that can be dismissed only by entering a password again, the more likely we are to not pay attention to what's asking. I speak, of course, of Apple's seemingly random and sometimes frequent iCloud login popup messages in iOS.

A vulnerability of sorts has been uncovered in HTML handling in Mail in iOS that leverages our desire to ignore a message by just giving it what it wants. It's not an exploit that allows remote control or system access. Rather, it's a form of Trojan horse that engages in phishing, fooling the unwary and the wary alike into entering a credential in an illegitimate place that can be used elsewhere.

The person posting the vulnerability, Jan Souek, says it was reported in January to Apple (though he filed a bug rather than use Apple's security reporting email). And a video was posted in January that shows the problem. Souek confirmed via Twitter that Apple's security team has been aware of the issue since January.

An Apple spokesperson said, "We are not aware of any customers affected by this proof of concept, but are working on a fix for an upcoming software update." Apple confirmed that two-step verification for an Apple ID would deter this particular phishing attack, as it does others, by requiring an attacker to use a second element that they cannot gain access to remotely. (Apple plans more robust, native two-factor authentication support in iOS 9.)

Stop the popover

After I restore or upgrade iOS, and sometimes after I restarted it, I'm flooded by what feels like spurious login dialogs to iCloud, iMessage, and other services. This is in part because I have two Apple IDs associated with Apple cloud stuff since the company can't manage to let us merge accounts and purchases. An older Apple ID is used with iCloud sync, a newer one with iTunes purchases.

Sometimes, I have to enter what seems to be the same password for the same account 6 to 10 times before the dialogs stop pestering me. That's bad system design, and something I hope that Apple is working on with iOS 9. Credentials for the same resources should be pooled over short periods of time rather than requested repeatedly, even if a second factor is required.

The phishing attack developed by Souek and posted a few days ago in a code repository, and first reported on by Dan Goodin at Ars Technica on Wednesday, takes a clever approach to leverage a flaw in Mail. (Goodin reported that this weakness appeared in iOS 8.3 in April, but the video dates to January, which is when the developer confirmed he filed a bug report.)

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.