A new bug facing the iOS Mail app was found recently by security specialist Jan Soucek (via The Register). The malicious bug is capable of delivering false iCloud log-in prompts by allowing remote HTML content to be loaded through an email message delivered to the intended victim. The bug then delivers a convincing iCloud log-in box for users to re-enter their Apple ID and password. Soucek says that Apple did not respond to his discovery of the bug when he stumbled across it back in January.


"Back in January 2015 I stumbled upon a bug in iOS's mail client, resulting in HTML tag in e-mail messages not being ignored. This bug allows remote HTML content to be loaded, replacing the content of the original e-mail message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password "collector" using simple HTML and CSS."

The bug isn't relegated to only iCloud phishing attacks, however, letting anyone with access to it customize the attack to ask for whichever username and password credentials they feel the need for. Soucek kept the details of the bug only between himself and Apple, letting the company have time to possibly fix the attack and inform him of its progress. Given the company's remaining quietness on the subject, he decided to publish the proof of concept - called the Mail.app inject kit - on GitHub in hopes of spreading its awareness.

"It was filed under Radar #19479280 back in January, but the fix was not delivered in any of the iOS updates following 8.1.2. Therefore I decided to publish the proof of concept code here."

While Soucek's actions bring the malicious bug to more people's attentions and can help stop it in due time, it also means there's a wider chance for phishers to deploy it on their own. Until Apple comments on the story and offers a fix for the bug, it'll be safest to take precaution when any password prompt emerges while browsing email in iOS.

Related Forum: iOS 8

Top Rated Comments

laurim Avatar
98 months ago
I've been having issues with repeated requests to log into iCloud for a while so if this happened while I was in Mail, I wouldn't know if it were simply more of the same or a malicious one via Mail itself. You people on here being so smug talking smack about your wives being so dumb need to stop before you embarrass yourself. well, too late but I mean after you also fall for it. This is different than falling for a regular phishing email .
Score: 11 Votes (Like | Disagree)
tigres Avatar
98 months ago
Splendid... My wife would fall for that.
Score: 6 Votes (Like | Disagree)
nagromme Avatar
98 months ago
Will the fake dialog swipe/scroll when you scroll the email? If so, that's a quick check as a defensive stopgap for those who want to watch out for this. A real dialog would be stuck to the screen and not move when you scroll.
Score: 6 Votes (Like | Disagree)
avanpelt Avatar
98 months ago
Turn two factor authentication or app-specific passwords on (or both) and this will not be a problem. Though obviously it is something that Apple needs to fix.
Score: 5 Votes (Like | Disagree)
C DM Avatar
98 months ago
That's not something Apple can control without removing features from Mail that exist in literally every modern e-mail client. Essentially what is happening here is Mail is rendering a website. It's a very small website and it's been designed to look like Apple's UI to trick you.

So here are Apple's options:


* They could disable HTML / CSS completely, and push Mail back into the dark ages.
* They could offer a toggle to disable HTML / CSS in Mail, which few people would use and would cause unexpected issues when a valid e-mail requires HTML / CSS to render.
* They could disable specific HTML like FORMS, which would prevent this particular scam but again, cause unexpected issues when a valid e-mail has a valid form.
* They could scan the email for specific html like FORMS and provide a notice/alert that the email might be attempting to steal passwords. This is probably the best scenario but even so it would scare users away from legitimate emails using forms (which granted, are very few)

But again... this e-mail would look the same and FUNCTION the same whether you viewed it on iOS, or OS X, or Windows, or via Safari or Chrome or Opera... whether you loaded the email from Mail.app or via iCloud or Gmail or Outlook or any other email client.

And any "fix" Apple takes on its end is really only a bandage. It wouldn't prevent this phishing email from functioning on other e-mail clients and any "fix" they offer has downsides as listed above.

It's not an exploit. It's not a bug. It's not something that can only affect iOS users outside that it vaguely looks like the iOS environment. It's not a "Meta tag issue" or the result of some faulty programming on the part of Apple's iOS development team.
Perhaps if Apple's own prompts to ask for iCloud passwords here and there weren't as common or secured in some way to clearly be unique to an actual valid system prompt then things of this nature wouldn't have as much potential of being abused.
You haven't checked the link, have you? https://github.com/jansoucek/iOS-Mail.app-inject-kit
It is a meta tag issue, and your four bullets above wouldn't do anything to stop it. The email doesn't have a form, the email redirects the user to a webpage (within the mail client) that has a form. Big difference. And as the person has described, it doesn't work the same way in all mail clients, as others wouldn't follow the meta refresh.
Go read up, then come back and change your mind.
And then there's that.
Score: 4 Votes (Like | Disagree)
mw360 Avatar
98 months ago
Perhaps if Apple's own prompts to ask for iCloud passwords here and there weren't as common or secured in some way to clearly be unique to an actual valid system prompt then things of this nature wouldn't have as much potential of being abused.
I posted a good while ago about exactly this problem. Of my four iCloud enabled devices I must get at least one spurious iCloud password prompt per day (although some periods are worse than others). It seems to be either iMessage and its eternal struggle to get a ****ing grip, or FaceTime, or some other cluster that's gone off behind the scenes. And these prompts are rarely related to me actually trying to so something iCloud related. Just turn on the iPhone, and 'enter your iCloud password'. Apple don't even say why, just training us, like good little dupes, to hand it over whenever some plain white box asks for it.
Score: 3 Votes (Like | Disagree)

Popular Stories

iPhone Measure Height

Newer iPhones Allow You to Measure Someone's Height Instantly — Here's How

Saturday December 3, 2022 10:23 am PST by
iPhone 12 Pro and Pro Max, iPhone 13 Pro and Pro Max, and iPhone 14 Pro and Pro Max models feature a LiDAR Scanner next to the rear camera that can be used to measure a person's height instantly in Apple's preinstalled Measure app. To measure a person's height, simply open the Measure app, point your iPhone at the person you want to measure, and make sure they are visible on the screen from...
iOS 16

When Will iOS 16.2 Be Released?

Friday December 2, 2022 2:13 pm PST by
Apple in late October began testing iOS 16.2 and iPadOS 16.2 updates, providing betas to both developers and public beta testers. As of now, we've had four total betas, with the fourth beta having been released earlier this week. iOS 16.2 and iPadOS 16.2 are expected before the end of the year, and we thought we'd try to narrow down the launch timeline. With only four betas released since...
14 vs 16 inch mbp m2 pro and max feature 1

Major RAM Upgrade Coming to Next-Generation MacBook Pro

Friday December 2, 2022 2:03 am PST by
The next-generation MacBook Pro models could feature faster RAM, according to a recent report from a reliable source. MacRumors Forums member "Amethyst," who accurately revealed details about the Mac Studio and Studio Display before those products were announced, recently provided information about Apple's upcoming 14- and 16-inch MacBook Pro models. The new machines are expected to feature...
General iOS 16 Feature Yellow

iOS 16.2 for iPhone Launching This Month With These 8 New Features

Thursday December 1, 2022 8:44 am PST by
Apple plans to publicly release iOS 16.2 for the iPhone in mid-December, according to Bloomberg's Mark Gurman. The update remains in beta testing for now, with at least eight new features and changes already uncovered so far. iOS 16.2 introduces a number of new features, including Apple's new whiteboard app Freeform, two new Lock Screen widgets for Sleep and Medications, the ability to hide...
apple ar headset concept 1

Kuo: Apple Headset Shipments Potentially Delayed Until Second Half of 2023

Sunday December 4, 2022 7:38 am PST by
Mass shipments of Apple's long-rumored AR/VR headset may be delayed until the second half of 2023 due to unspecified "software-related issues," according to the latest information shared today by tech analyst Ming-Chi Kuo. Apple headset render by Ian Zelbo Kuo said mass shipments of components for the headset are still likely to begin in the first half of 2023, but he believes that mass...
Emergency SOS via Satellite iPhone YT

Apple's iPhone 14 Emergency SOS via Satellite Feature Saves Stranded Man in Alaska

Thursday December 1, 2022 4:37 pm PST by
With the launch of iOS 16.1, Apple rolled out a Emergency SOS via Satellite, which is designed to allow iPhone 14 owners to contact emergency services using satellite connectivity when no cellular or WiFi connection is available. The feature was put to the test in Alaska today, when a man became stranded in a rural area. In the early hours of the morning on December 1, Alaska State Troopers ...
iPhone 14 Pro Purple Side Perspective Feature Purple

iPhone 15 Pro Rumored to Have These 5 Exclusive Features

Saturday December 3, 2022 10:55 am PST by
While we're still around nine months away from Apple unveiling the iPhone 15 lineup, rumors already suggest that the higher-end Pro models will have even more exclusive features than usual compared to the standard models next year. There are currently at least five features rumored to be exclusive to iPhone 15 Pro models:A17 chip: iPhone 15 Pro models will be equipped with an A17 Bionic...
top stories 3dec2022

Top Stories: M2 Max Benchmark Leak, iPhone 15 Camera Rumor, and More

Saturday December 3, 2022 6:00 am PST by
With Black Friday and Cyber Week shopping events winding down and the calendar flipping over to December, our attention is starting to turn to 2023 and all of the Apple news we're expecting to see. This week saw an alleged benchmark leak for an "M2 Max" chip expected to make an appearance in upcoming Macs like the MacBook Pro early next year, as well as fresh rumors about the iPhone 15...
android apple fix rcs

Google Again Criticizes Apple for Not Adopting RCS for Messages App: 'Their Texting is Stuck in the 1990s'

Friday December 2, 2022 10:54 am PST by
Google is continuing on with its attempt to convince Apple to adopt the RCS messaging standard, publishing a new "it's time for RCS" blog post. Promoted heavily by Google, RCS or Rich Communication Services is a messaging standard that is designed to replace the current SMS messaging standard. It provides support for higher resolution photos and videos, audio messages, and bigger file sizes, ...
maxresdefault

Can't Get an iPhone 14 Pro? Here's Why You Should Wait for the iPhone 15 Ultra

Monday December 5, 2022 11:44 am PST by
Due to production issues at Apple supplier factories in China, the iPhone 14 Pro and iPhone 14 Pro Max are backordered and basically out of stock at every store. If you were planning to gift or receive an iPhone 14 Pro model for the holidays and didn't already get one, you're basically out of luck because they're gone until late December. Subscribe to the MacRumors YouTube channel for more ...