This article was published on June 10, 2015

Bug in iOS Mail app lets hackers send fake password collector as a pop-up notification


Bug in iOS Mail app lets hackers send fake password collector as a pop-up notification

The next time you’re asked for log-in credentials when using an iOS device, think twice before answering. An exploit in Apple’s Mail app has been discovered, and it could pinch the very info you don’t want anyone to know.

In the stock iOS Mail app, hackers can create a pop-up that asks for various log-in credentials. It looks legitimate, and happens because the Mail app allows a line of code to load when it should be ignored, which loads remote HTML content.

That HTML code can be used to bring up a very plain password collector, which can be created using simple HTML and CSS.

The more straightforward grab would be iCloud credentials, since the code uses your email address to prompt for a password. The exploit could try to grab anything, though; Twitter log-in, Facebook password — you name it.

Developer Jan Soucek notes on GitHub that a Radar was filed on this back in January (around the time of iOS 8.1.2), but Apple has yet to address it.

The positive twist here is that this exploit is solely related to the Mail app. If you use a different email client (even if you use an iCloud email address), you probably won’t have any issues.

iOS 8.3 Mail.app inject kit [GitHub]

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with