Thursday, 11 June 2015

Apple users vulnerable to slick iCloud password phishing emails



Ernst and Young forensic bod Jan Soucek has created a tool capable of generating slick iCloud password phishing emails he says exploits an unpatched bug affecting millions of Apple users.

The researcher created the iOS 8.3 Mail.app inject kit which exploits a bug in the operating system's native email client to produce a realistic pop-up of which Apple users are accustom.

Soucek (@jansoucek) says Cupertino did not respond when he informed it of the bug in January.

"Back in January 2015 I stumbled upon a bug in iOS's mail client, resulting in HTML tags in email messages not being ignored," Soucek says.

"This bug allows remote HTML content to be loaded, replacing the content of the original email message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password 'collector' using simple HTML and CSS.