A new bug facing the iOS Mail app was found recently by security specialist Jan Soucek (via The Register). The malicious bug is capable of delivering false iCloud log-in prompts by allowing remote HTML content to be loaded through an email message delivered to the intended victim. The bug then delivers a convincing iCloud log-in box for users to re-enter their Apple ID and password. Soucek says that Apple did not respond to his discovery of the bug when he stumbled across it back in January.


"Back in January 2015 I stumbled upon a bug in iOS's mail client, resulting in HTML tag in e-mail messages not being ignored. This bug allows remote HTML content to be loaded, replacing the content of the original e-mail message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password "collector" using simple HTML and CSS."

The bug isn't relegated to only iCloud phishing attacks, however, letting anyone with access to it customize the attack to ask for whichever username and password credentials they feel the need for. Soucek kept the details of the bug only between himself and Apple, letting the company have time to possibly fix the attack and inform him of its progress. Given the company's remaining quietness on the subject, he decided to publish the proof of concept - called the Mail.app inject kit - on GitHub in hopes of spreading its awareness.

"It was filed under Radar #19479280 back in January, but the fix was not delivered in any of the iOS updates following 8.1.2. Therefore I decided to publish the proof of concept code here."

While Soucek's actions bring the malicious bug to more people's attentions and can help stop it in due time, it also means there's a wider chance for phishers to deploy it on their own. Until Apple comments on the story and offers a fix for the bug, it'll be safest to take precaution when any password prompt emerges while browsing email in iOS.

Top Rated Comments

laurim Avatar
79 months ago
I've been having issues with repeated requests to log into iCloud for a while so if this happened while I was in Mail, I wouldn't know if it were simply more of the same or a malicious one via Mail itself. You people on here being so smug talking smack about your wives being so dumb need to stop before you embarrass yourself. well, too late but I mean after you also fall for it. This is different than falling for a regular phishing email .
Score: 11 Votes (Like | Disagree)
tigres Avatar
79 months ago
Splendid... My wife would fall for that.
Score: 6 Votes (Like | Disagree)
nagromme Avatar
79 months ago
Will the fake dialog swipe/scroll when you scroll the email? If so, that's a quick check as a defensive stopgap for those who want to watch out for this. A real dialog would be stuck to the screen and not move when you scroll.
Score: 6 Votes (Like | Disagree)
avanpelt Avatar
79 months ago
Turn two factor authentication or app-specific passwords on (or both) and this will not be a problem. Though obviously it is something that Apple needs to fix.
Score: 5 Votes (Like | Disagree)
C DM Avatar
79 months ago
That's not something Apple can control without removing features from Mail that exist in literally every modern e-mail client. Essentially what is happening here is Mail is rendering a website. It's a very small website and it's been designed to look like Apple's UI to trick you.

So here are Apple's options:


* They could disable HTML / CSS completely, and push Mail back into the dark ages.
* They could offer a toggle to disable HTML / CSS in Mail, which few people would use and would cause unexpected issues when a valid e-mail requires HTML / CSS to render.
* They could disable specific HTML like FORMS, which would prevent this particular scam but again, cause unexpected issues when a valid e-mail has a valid form.
* They could scan the email for specific html like FORMS and provide a notice/alert that the email might be attempting to steal passwords. This is probably the best scenario but even so it would scare users away from legitimate emails using forms (which granted, are very few)

But again... this e-mail would look the same and FUNCTION the same whether you viewed it on iOS, or OS X, or Windows, or via Safari or Chrome or Opera... whether you loaded the email from Mail.app or via iCloud or Gmail or Outlook or any other email client.

And any "fix" Apple takes on its end is really only a bandage. It wouldn't prevent this phishing email from functioning on other e-mail clients and any "fix" they offer has downsides as listed above.

It's not an exploit. It's not a bug. It's not something that can only affect iOS users outside that it vaguely looks like the iOS environment. It's not a "Meta tag issue" or the result of some faulty programming on the part of Apple's iOS development team.
Perhaps if Apple's own prompts to ask for iCloud passwords here and there weren't as common or secured in some way to clearly be unique to an actual valid system prompt then things of this nature wouldn't have as much potential of being abused.
You haven't checked the link, have you? https://github.com/jansoucek/iOS-Mail.app-inject-kit
It is a meta tag issue, and your four bullets above wouldn't do anything to stop it. The email doesn't have a form, the email redirects the user to a webpage (within the mail client) that has a form. Big difference. And as the person has described, it doesn't work the same way in all mail clients, as others wouldn't follow the meta refresh.
Go read up, then come back and change your mind.
And then there's that.
Score: 4 Votes (Like | Disagree)
mw360 Avatar
79 months ago
Perhaps if Apple's own prompts to ask for iCloud passwords here and there weren't as common or secured in some way to clearly be unique to an actual valid system prompt then things of this nature wouldn't have as much potential of being abused.
I posted a good while ago about exactly this problem. Of my four iCloud enabled devices I must get at least one spurious iCloud password prompt per day (although some periods are worse than others). It seems to be either iMessage and its eternal struggle to get a ****ing grip, or FaceTime, or some other cluster that's gone off behind the scenes. And these prompts are rarely related to me actually trying to so something iCloud related. Just turn on the iPhone, and 'enter your iCloud password'. Apple don't even say why, just training us, like good little dupes, to hand it over whenever some plain white box asks for it.
Score: 3 Votes (Like | Disagree)

Top Stories

apple watch 6s 202009

Bloomberg: Apple Watch Series 7 to Feature Thinner Screen Bezels, Faster Processor, and Updated Ultra Wideband Tech

Monday June 14, 2021 3:41 am PDT by
This year's Apple Watch Series 7 is likely to have thinner display bezels and use a new lamination technique that brings the display closer to the front cover, according to Bloomberg's Mark Gurman. From the report: The Cupertino, California-based tech giant is planning to refresh the line this year -- with a model likely dubbed the Apple Watch Series 7 -- by adding a faster processor,...
ios 15 home screen icons

iOS 15 Lets You Drag and Drop Images and Text Across Apps

Saturday June 12, 2021 3:17 pm PDT by
Apple this week previewed iOS 15, which is available now in beta for developers ahead of a public release later this year. One smaller but useful new feature added is the ability to drag and drop images, text, files, and more across apps on iPhone. MacStories editor-in-chief Federico Viticci demonstrated the new feature in a tweet: Using cross-app drag and drop on iPhone in iOS 15. Finally 🎉 #WW ...
studio buds family

Beats Studio Buds Debuting Today With Active Noise Cancellation, Stemless Design, and More for $150

Monday June 14, 2021 8:00 am PDT by
We've seen a lot of teasers about the Beats Studio Buds over the past month since they first showed up in Apple's beta software updates, and today they're finally official. The Beats Studio Buds are available to order today in red, white, and black ahead of a June 24 ship date, and they're priced at $149.99. The Studio Buds are the first Beats-branded earbuds to truly compete with AirPods...
apple virtual game controller ios 15

Apple Makes New On-Screen Game Controller Available to Developers on iOS 15 and iPadOS 15

Saturday June 12, 2021 12:36 pm PDT by
During the Platforms State of the Union at WWDC this week, Apple unveiled a new API for iOS 15 and iPadOS 15 that enables developers to implement an on-screen virtual game controller in their iPhone and iPad games with just a few lines of code. While many iPhone and iPad games already offer on-screen controls, Apple's new virtual game controller is available to all developers, easy to add,...
ipad mini 6

Next iPad Mini Will Allegedly Feature Thinner Bezels, USB-C Port, and Touch ID Power Button

Friday June 11, 2021 1:13 pm PDT by
On his newly launched Front Page Tech website, leaker Jon Prosser has shared renders showing off the alleged design of the next-generation iPad mini, which he says are based on schematics, CAD files, and real images of the device. In line with details shared earlier this month by Bloomberg's Mark Gurman and Debby Wu, Prosser claims that the new iPad mini will feature slimmer bezels around...
maxresdefault

Apple Promotes iPad Pro in New Ad With 'The Little Mermaid' Musical Spin

Saturday June 12, 2021 7:01 am PDT by
In a currently unlisted ad on YouTube, Apple is promoting the versatility, portability, and power of the M1 iPad Pro in a fun musical inspired by The Little Mermaid's "Part of Your World" soundtrack. In the ad, which features the main character using an M1 iPad Pro, Magic Keyboard, and Apple Pencil, multiple users can be seen struggling with their old PCs indoors while hoping that they can...
passwords system preferences

macOS Monterey Features Dedicated Password Section in System Preferences, Built-In Authenticator and More

Friday June 11, 2021 2:32 pm PDT by
macOS Monterey makes several improvements to password management, positioning iCloud Keychain as an ideal password service to replace third-party services like Lastpass and 1Password. In System Preferences, there's a new "Passwords" section that houses all of your iCloud Keychain logins and passwords so they're easier to get to, edit, and manage. There's a similar Passwords section that's...
macos monterey tidbits feature copy

macOS Monterey Tidbits: Animated Memoji on Login Screen, Change the Color of the Mouse Pointer, and More

Friday June 11, 2021 10:27 am PDT by
We've highlighted several new features coming in macOS Monterey, such as Low Power Mode and the option to erase a Mac without reinstalling the operating system, but there are some smaller tidbits that we wanted to share. Animated Memoji on Login Screen One small but fun new feature in macOS Monterey is the addition of a personalized Memoji on the login screen, complete with animated facial...
m1 imac back

Some M1 iMac Models Shipping With Crooked Mountings

Monday June 14, 2021 12:50 pm PDT by
Some M1 iMacs appear to have a manufacturing defect that causes the display to be mounted on the stand in a way that's not perfectly aligned, leading to a crooked display. YouTuber iPhonedo over the weekend published a review of the M1 iMac, and he found that his machine appeared to be tilted on one side, a mounting disparity that was visibly noticeable and proved with a ruler. Another...
mr white ipod touch 5 protoype3

Unreleased iPod Touch 5 With Chamfered Edges and 30-Pin Dock Connector Shared Online

Thursday June 10, 2021 2:05 am PDT by
Occasional leaker Mr White has today shared interesting images on Twitter of what appears to be an old-school fifth-generation iPod touch prototype with chamfered edges and a brushed aluminum finish. The original iPod touch 5 that Apple released in October 2012 had a unibody anodized aluminum chassis with rounded edges, and was available in several colors, including slate. Another...