Skip to main content
X

Send us a Topic or Tip

Have a suggestion for the blog? Perhaps a topic you'd like us to write about? If so, we'd love to hear from you! Fancy yourself a writer and have a tech tip, handy computer trick, or "how to" to share? Let us know what you'd like to contribute!

Thanks for reaching out!

Stay Safe: Bug in iOS Mail Allows Phishing Attacks

Phishing
Image via Allstate.com

A security researcher has uncovered a bug in iOS Mail that allows an attacker to remotely run HTML code on a computer when an email is opened. The researcher, Jan Soucek, first discovered the issue back in January and reported it to Apple so that it could be fixed. Since it’s now five months later and no update has closed the security hole, Soucek has published his source code for his demonstration on Github and created a video showing the exploit in action. Soucek is concerned that the issue opens the door to very convincing-looking phishing attacks.

Phishing is the name given to the practice of using convincing-looking emails or other tools to extract name and password information from unsuspecting computer users. Once you’ve inadvertently supplied a malicious third party with that information, it can be used for the purpose of monetary or identity theft.

Here’s the video Soucek created, showing the exploit being used on both an iPad and an iPhone to prompt a user to enter his or her user name and password. In his example, the malicious code creates a very real-looking password prompt that’s requesting a user’s Apple ID:

What can you do to stay safe until the bug is fixed? If you’re in Mail and you are prompted for a password, just cancel the prompt — assume that any login prompt you see while in Mail is malicious. If you are in another app and are still prompted to log into a service, chances are quite good that it’s a valid request for a login and you can proceed. It would probably be a much better idea to just get out of any app and use other means to log into the service requesting the password, such as logging in through Settings.

Steve Sande
the authorSteve Sande
Contributing Author
Steve has been writing about Apple products since 1986, starting on a bulletin board system, creating the first of his many Apple-related websites in 1994, joining the staff of The Unofficial Apple Weblog in 2008, and founding Apple World Today in 2015. He’s semi-retired, loves to camp and take photos, and is an FAA-licensed drone pilot.
Be Sociable, Share This Post!

Leave a Reply