[youtube=https://www.youtube.com/watch?v=9wiMG-oqKf0]
Update: Apple confirmed it’s aware of the issue and working on a fix:
“We are not aware of any customers affected by this proof of concept, but are working on a fix for an upcoming software update.”
If you are reading mail on your iPhone and iPad and a popup appears asking you to re-login to iCloud (or anything else), beware. Security researcher Jan Soucek discovered a bug in the iOS Mail app that allowed an attacker to run remote HTML code when an email is opened. That code could easily imitate an iCloud login prompt, fooling users into giving away their Apple ID credentials …
While Soucek uses iCloud as the demonstration – as it’s not uncommon for an iOS device to prompt people to login again – the same code could be used to imitate any website or service. It doesn’t have to be a phishing prompt for authentication either — any arbitrary HTML and CSS can run.
Soucek says that he first spotted the bug in iOS 8.1.1, filing a bug report with Apple. At that time, he kept the details to himself, allowing Apple time to fix the bug. Five months later, the company has still not done so, he said, and he therefore chose to make the code public to draw attention to the risk.
It was filed under Radar #19479280 back in January, but the fix was not delivered in any of the iOS updates following 8.1.2. Therefore I decided to publish the proof of concept code here.
Soucek has now uploaded proof of concept to the code-sharing site GitHub. While this serves to alert people to the existence of the flaw, and applies pressure to Apple to fix it in a future update, it also means the code is out there for anyone to use.
The safe course for now is to assume that any login popup that appears while using the iOS Mail app is malicious. If your iOS device does indeed need you to login again to iCloud or anything else, wait until prompted when not using Mail.
FTC: We use income earning auto affiliate links. More.
I am all for guys like this filing bug reports, waiting, then, after a reasonable amount if time (8.1.1 into 8.4 is reasonable to me) announcing the found it.
What I despise is releasing the code under the guise of “proof of concept”
To me, it is completely irresponsible, and makes that person, at minimum, just as culpable, if not more so, than the company with the bad code
So thank you for finding it and alerting Apple. That you for giving them a chance to fix it.
But all goodwill is out the window for sharing/releasing the code public.
What has occurred in the past with other disclosures, is that the researchers think “oh, this is pretty arcane” and don’t release a proof of concept. Or the company that they file against thinks it’s “no big deal”. Then, months later, it is found to be USED by some other nefarious group; imagine that, this arcane thing HAD already been discovered by the bad guys and kept quiet. (Read up on details of the iCloud picture hack.)
Apple got the information. This discovery was something that was significant enough (we all pretty much use email) to warrant both the filing, the proof of concept, and–following Apple’s complete lack of progress–the reveal on GitHub to pressure Apple.
If there is one thing I have learned about Apple in 30+ years it is that they often will not do things when prodded by outside influence unless they are shamed into doing it. Six months is considered ample time, two full iOS releases (and a third coming) provided ample opportunity. Apple decided not to do anything (and this is the VERY kind of thing that would be used in iCloud hacks); they deserve the shame, not the researcher. Contrary to community groupthink, Apple is abysmal at security, and this is just yet another in a long line of failures.
I would argue that your logic is backwards. By revealing this issue to the public and putting out POC code he makes the general public aware of the problem. This means that any blackhat hacker stupid enough to use public domain code will likely be thwarted because people know what to look for.
If this code was not released then an attacker who stumbles upon this vulnerability could have exploited this bug and no one would have been aware of the consequences.
This method of releasing relatively harmless POC code allows for the minimum damage to users while the maximum chance that Apple will fix the issue in an update in the near future.
I understand the pain from a consumer perspective, but from a developer’s perspective – a developer who knows very well the pain of trying to get Apple to fix vulnerabilities – this is the right move, 99% of the time.
Don’t release the code, only the information that it exists. Now, because of this persons foolishness, others may have their passwords stolen.
You seem to be missing the point. If he put out the fact that http-equiv=refresh is allowed in an email any high school student with a laptop could have written the code he wrote. The code is simple by just about anyone’s standards. I don’t even know PHP (the language in which the server code is written) and with half an hour on Google I could have written the code he wrote.
The code doesn’t actually steal any password. It just display a window to prompt for your password. To actually steal the password you will have to write more code to do that. And if you are technical enough to write that, you are probably more than able to write the whole thing yourself without any help from the author.
That’s good to read.
Others are of the Social Networking type, where you are encouraged to reset your password by a genuine- sounding tech company source address or name, some IP Address information of a suspected intrusion attempt, its date, time and location.
I received such a one yesterday 9th June from “Yahoo Security Services” – examining the header in detail revealed the real address as a private gmail account, and the email subject read “Sign-activity” instead of Sign-in Activity. It then posted links asking to “verify my Yahoo password” and “reactivate second sign-in”…
Yeah, never click a login link in an email – always use your own bookmarks.
I am all for Apple being shamed into acting, they have had time, and didn’t deal with it…! On a side note has anyone else noticed a really big increase in emails such as this…???
———————————————
“iCloud ID – info@***********.co.uk
This is the final message to notify you as of 07 – June – 2015 that you have not yet updated your iCloud ID details. Under “KYC” legislation Apple Inc is required by law to carry out a one time a validation of your Apple ID, failure to complete this validation will result in deletion of your Apple ID and associated information within the next two days.
Please advance below to »
Validate your iTunes Profile
To cancel the deletion of your Apple ID please proceed to continue to your Apple ID settings before the deadline.
Resolution Support Request ID: #K19FHJ7911319310
Regards,
Genius Support Team”
——————————————–
Always makes me laugh, and they are always trashed, but i know a few people who are actually stupid and have responded…