An iOS security vulnerability can leak your iCloud credentials

A security researcher at Ersnt & Young highlighted a security vulnerability in the native Mail app of iOS which can leak any iCloud account credentials through a legitimate iCloud account authentication popup. This vulnerability affects all users using the latest iOS 8.3 on their iPhones and iPads.

Jan Soucek, a security specialist employed at E&Y disclosed this vulnerability to Apple in January but did not get a response till recently. The bug was not addressed in any iOS version update after 8.1.2 from January onwards till now. The details of the flaw were kept private by Jan and when Apple did not fix it he decided to make the code public to highlight the risk users were exposed to.

The vulnerability allows malicious hackers to use official look alike iCloud authentication popups. Users entering their iCloud user id and passwords which, then, hackers can easily steal.

Errata Security CEO Rob Graham, while talking to Ars Technica stated:

“Errata Security CEO and longtime iPhone user Rob Graham said he considered the vulnerability serious because it’s not uncommon for iOS to display login prompts at unexpected times. He told Ars he had received one such prompt earlier Wednesday, a few hours before reading of the weakness. He said the best thing users can do when encountering such a prompt is to press the cancel button without entering any login credentials. Most of the time users will face no ill consequences, and the worst that can happen is they will be prompted again. When users do enter their password into the box, they should make sure they do so when no e-mails are displayed.”

An Apple spokesman stated that they are not aware of any user being impacted by this vulnerability. They have recommended users to enable two-factor authentication (2FA) for their iCloud accounts to deter this particular attack. It was also mentioned that a fix will be made available to users in a future software update.

Image Credits: idownload blog, MacWorld