Skip to content ↓ | Skip to navigation ↓

I would wager that most people who have an iPhone or iPad use the default Apple iOS Mail application, rather than a third-party app, to read their email.

And if you’re one of those people, you could be at risk from an unpatched vulnerability that could allow hackers to convincingly trick you into handing them your passwords.

As The Register describes, Ernst and Young security researcher Jan Soucek has gone public with details of a serious flaw that he found in the default Mail app.

“Back in January 2015 I stumbled upon a bug in iOS’s mail client, resulting in <meta http-equiv=refresh> HTML tag in e-mail messages not being ignored. This bug allows remote HTML content to be loaded, replacing the content of the original e-mail message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password “collector” using simple HTML and CSS.”

A video made by Soucek demonstrates the serious risk that a hacker could exploit the flaw to steal passwords, such as those belonging to a victim’s iCloud account.

In a nutshell, Soucek has found a way to do something which any properly-working email client should never allow – popping up a realistic message box asking for a password to be entered.

Users could be easily duped by such a message to enter, as in the video example above, their iCloud credentials.

Sneakily, the attack code uses cookies to ensure that it is only displayed once on each victims’ computer, reducing the chances of suspicions being raised that something odd has occurred.

Maill app bug code

And what trouble could come from a malicious party getting hold of your Apple iCloud details?

Well, you shouldn’t have to think very long before you remember the plight of various female celebrities who were embarrassed to find their intimate snapshots plastered all over the internet last year after their accounts were compromised.

Of course, the flaw could easily be exploited in attempts to harvest passwords for non-iCloud accounts, as well.

Soucek says that he notified Apple about the vulnerability, sharing technical information about how it worked, on 15 January 2015. But at the time of writing, the bug has yet to be fixed.

Mail appControversially, Soucek has now released code demonstrating how the vulnerability can be exploited on Github, potentially putting it in the hands of malicious hackers and identity thieves.

Although I can understand his frustration with Apple’s lack of response for fixing the issue, Soucek could have applied pressure to the company by demonstrating the flaw to the tech media, rather than releasing exploit code for potential misuse.

Meanwhile, as we wait for Cupertino to roll out a patch, it would be wisest to either exercise extreme caution whenever an unexpected pop-up appears while perusing our Mail inbox, or use a third-party email app instead.


Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Tripwire University
  • Guest

    Graham, you often criticise security researchers for releasing 'proof of concept' bugs. But for a company as large as Apple it unacceptable for them to take six months and not to have fixed the problem.

    Putting "pressure" on Apple by going to the media probably won't work because newspapers etc. don't care unless there's a problem out there in the wild. A lot of them aren't prepared to criticise Apple anyway, so what's this researcher got to lose by putting this vulnerability out there?

    It sounds like he gave Apple a chance and they blew it. I'd wager that this will now be fixed as a matter of priority. As far as we know this could have been exploited prior to him reporting it (i.e. somebody else has already discovered it).

    He's done us all a favour by going public.

  • gadget37

    In response to this article I changed my Apple password. I have 2 factor authentication but don't understand how it works with Apple. My second iPhone says I need to generate an app specific password yet the iPhone supports 2FA and you are not supposed to have to use app specific passwords with devices supporting 2FA. It's all very well having these extra security tools in place but when they are complex and confusing it is a real barrier to appropriate security adoption!

  • Is this mail bug still present in the iOS or not? Anyway, I am going to change my password right now just to be safe.