Apple’s iOS platform is one of the most secure mobile operating systems in the world, and each release brings new security features and enhancements. iPhones and iPads are proliferating in the workplace at a rapid pace, and even spy agencies tend to have difficulties cracking encrypted communications that originate on an iOS device.
But no software is without flaws, and a new security vulnerability makes iPhones and iPads painfully vulnerable to phishing scams that can easily allow someone to steal your Apple ID username and password.
DON’T MISS: New update brings the best Google Maps feature iOS has seen in months – here’s how to use it
Ernst and Young security researcher Jan Soucek has built a tool the likes of which could easily trick iPhone and iPad users into handing over the usernames and passwords tied to their email accounts or even Apple IDs.
As noted by The Register, Soucek’s tool takes advantage of a potential flaw in Apple’s iOS Mail app that automatically loads remote HTML content. The researcher has simply created HTML pop-ups that look exactly like the dialog box that appears when an iOS device requires the user to reenter his or her email credentials or Apple ID.
Unsuspecting victims are so used to seeing these dialog boxes, that the odds are good they would just enter their email addresses and passwords without thinking twice. Once this sensitive information is entered and the user taps OK, his or her credentials are sent to a remote server where hackers can access them.
“Back in January 2015 I stumbled upon a bug in iOS’s mail client, resulting in HTML tag in e-mail messages not being ignored,” Soucek said on the GitHub page hosting his project. “This bug allows remote HTML content to be loaded, replacing the content of the original email message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password ‘collector’ using simple HTML and CSS. It was filed under Radar #19479280 back in January, but the fix was not delivered in any of the iOS updates following 8.1.2.”
As noted by the researcher, Apple has yet to address the issue.