A security researcher has uncovered a bug in iOS Mail that allows an attacker to remotely run HTML code on a computer when an email is opened. The researcher, Jan Soucek, first discovered the issue back in January and reported it to Apple so that it could be fixed. Since it’s now five months later and no update has closed the security hole, Soucek has published his source code for his demonstration on Github and created a video showing the exploit in action. Soucek is concerned that the issue opens the door to very convincing-looking phishing attacks.
Phishing is the name given to the practice of using convincing-looking emails or other tools to extract name and password information from unsuspecting computer users. Once you’ve inadvertently supplied a malicious third party with that information, it can be used for the purpose of monetary or identity theft.
Here’s the video Soucek created, showing the exploit being used on both an iPad and an iPhone to prompt a user to enter his or her user name and password. In his example, the malicious code creates a very real-looking password prompt that’s requesting a user’s Apple ID:
What can you do to stay safe until the bug is fixed? If you’re in Mail and you are prompted for a password, just cancel the prompt — assume that any login prompt you see while in Mail is malicious. If you are in another app and are still prompted to log into a service, chances are quite good that it’s a valid request for a login and you can proceed. It would probably be a much better idea to just get out of any app and use other means to log into the service requesting the password, such as logging in through Settings.