Skip to main content

PSA: A new phishing attack could trick you into giving away your Apple ID password

Avatar for Chance Miller  | Oct 10 2017 - 5:12 pm PT
0 Comments

If you’ve used an iOS device at all, you’ve almost certainly been presented with the above popup asking you to enter your Apple ID password. It often appears within the App Store and iTunes Store, but it also has a tendency to randomly popup from time to time due to something running in the background.

A new blog post from developer Felix Krause, however, explains how that popup could be used to easily trick someone into handing over their Apple ID and password…

The developer explains it is incredibly easy for an iOS app maker to recreate the Apple ID password prompt. From there, the app could send that popup and subsequently log the Apple ID and password. It takes less than 30 lines of code and could seemingly be dropped in any legitimate iOS app and sneak past App Store review teams.

Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it’s literally the examples provided in the Apple docs, with a custom text.

I decided not to open source the actual popup code, however, note that it’s less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code.

Krause notes how this has been a big problem on desktop browsers for years, with illegitimate websites sending fake popups that are nearly identical to normal system notifications. It’s largely the same for iOS as well. He says he’s already filed this issue as a radar with Apple and explains that it could be fixed by Apple not allowing passwords to be entered in popups, but rather only in the Settings app/App Store.

As for how you can protect yourself, Krause outlines the following steps:

  • Hit the home button, and see if the app quits:
    • If it closes the app, and with it the dialog, then this was a phishing attack
    • If the dialog and the app are still visible, then it’s a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app.
  • Don’t enter your credentials into a popup, instead, dismiss it, and open the Settings app manually. This is the same concept, like you should never click on links on emails, but instead open the website manually
  • If you hit the Cancel button on a dialog, the app still gets access to the content of the password field. Even after entering the first characters, the app probably already has your password.

You can read Krause’s full explanation of this phishing method on his blog right here.

Check out 9to5Mac on YouTube for more Apple news:

Add 9to5Mac to your Google News feed. 

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Check out 9to5Mac on YouTube for more Apple news:

Comments

Guides

iOS

iOS

iOS is Apple's mobile operating system that runs…

Author

Avatar for Chance Miller Chance Miller

Chance is an editor for the entire 9to5 network and covers the latest Apple news for 9to5Mac.

Tips, questions, typos to chance@9to5mac.com