A Trojan horse to phish iCloud passwords lurks in an iOS Mail bug

A researcher finds that Mail in iOS improperly filters HTML, allowing a pop-up menu to appear that closely mimics the iCloud log in.

Using two-step authentication would protect you from this bug, and Apple plans even more robust support in iOS 9.

Using two-step authentication would protect you from this bug, and Apple plans even more robust support in iOS 9.

When we get complacent, we get bad about security. The more we're prompted by something irritating that can be dismissed only by entering a password again, the more likely we are to not pay attention to what's asking. I speak, of course, of Apple's seemingly random and sometimes frequent iCloud login popup messages in iOS.

A vulnerability of sorts has been uncovered in HTML handling in Mail in iOS that leverages our desire to ignore a message by just giving it what it wants. It's not an exploit that allows remote control or system access. Rather, it's a form of Trojan horse that engages in phishing, fooling the unwary and the wary alike into entering a credential in an illegitimate place that can be used elsewhere.

The person posting the vulnerability, Jan Souek, says it was reported in January to Apple (though he filed a bug rather than use Apple's security reporting email). And a video was posted in January that shows the problem. Souek confirmed via Twitter that Apple's security team has been aware of the issue since January.

An Apple spokesperson said, "We are not aware of any customers affected by this proof of concept, but are working on a fix for an upcoming software update." Apple confirmed that two-step verification for an Apple ID would deter this particular phishing attack, as it does others, by requiring an attacker to use a second element that they cannot gain access to remotely. (Apple plans more robust, native two-factor authentication support in iOS 9.)

Stop the popover

After I restore or upgrade iOS, and sometimes after I restarted it, I'm flooded by what feels like spurious login dialogs to iCloud, iMessage, and other services. This is in part because I have two Apple IDs associated with Apple cloud stuff since the company can't manage to let us merge accounts and purchases. An older Apple ID is used with iCloud sync, a newer one with iTunes purchases.

Sometimes, I have to enter what seems to be the same password for the same account 6 to 10 times before the dialogs stop pestering me. That's bad system design, and something I hope that Apple is working on with iOS 9. Credentials for the same resources should be pooled over short periods of time rather than requested repeatedly, even if a second factor is required.

The phishing attack developed by Souek and posted a few days ago in a code repository, and first reported on by Dan Goodin at Ars Technica on Wednesday, takes a clever approach to leverage a flaw in Mail. (Goodin reported that this weakness appeared in iOS 8.3 in April, but the video dates to January, which is when the developer confirmed he filed a bug report.)

The Mail app can render HTML, but--like all email apps that display rich messages--it filters out some kinds of tags and content that are either irrelevant within an email message or could be used for nefarious purposes. Souek employs a commonly used tag that's put in the header portion of an HTML page or template to redirect a user to another page, either instantly on load or after a defined delay. That's what you see when a page says, "This resource has been moved" or other jazz, and "please wait X seconds."

Mail fails to filter out the refresh request, which allows the malicious HTML email to load a page that has the full panoply of HTML available. Email clients that aren't vulnerable, which include webmail and native ones, won't process the reload. Those that do will load what looks precisely like a modal iCloud login dialog prefilled with the email address to which the phishing message was sent.

While Mail will parse and allow forms within messages, making this phishing attack possible without a reload, having the email message load and then an overlay appear with an ostensible popup dialog has more of a feeling of plausibility. We're used to seeing that behavior.

To exploit this combination of factors, you have to view a message that employs this technique. With iCloud's spam filtering, which would likely quickly key into common factors (like the header tag information), few might get through.

Read the signs

An observant user would notice the following should such a message appear:

  • The message appears only in the email portion of the Mail app.
  • Scrolling the email scrolls the dialog.
  • The keyboard doesn't automatically appear, even though the focus (where the cursor is positioned) moves to the form password field.
  • When you tap the field and the keyboard then appears, the word Go appears for submission, like a form.
  • Pressing Home dismisses the dialog, which isn't the case with a true login message.

Dear Reader, you might smile to yourself and think, "I would never be fooled by this." But then I would ask you to look in your wallet or purse and find the playing card I have placed within it! Is the eight of clubs? While you were looking, I replaced your regular security with Folger's Instant Security.

My nonsense is just to say that we, even smug little me, think that we are too sophisticated to be phished in such a way, and then I try to recall the last time I saw an iCloud login dialog--and did I simply fill it in without looking for signs of fraud? (I have two-step verification enabled, so it's for naught to phish me for most purposes; most iCloud users do not.)

By showing us the same thing unnecessarily often, Apple trains us to respond by rote. Reducing security prompts by consolidating the need for them--like taking one blood draw from a patient for a dozen tests instead of a dozen jabs--improves user attentiveness.

This flaw should be easily repaired. I hope Apple will slip it into iOS 8 before it dead-ends that version. But it should also rethink how it legitimately gathers approval from us. Phishing only works when it resembles something we can't bother to pay attention to.

Join the CSO newsletter!

Error: Please check your email address.

Tags Applesecuritytwitter

More about AppleTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place