iOS Mail Exploit Allows Clever Phishing Attacks, Says Researcher [VIDEO]

If you thought that Apple had ironed out iOS 8 until now, here is another reason to worry — especially if you are a power Mail app user: Ernst and Young security researcher Jan Soucek has uncovered a bug that leaves millions of iOS users vulnerable to phishing attacks (via The Register).

email phishing attacks

Remember those password pop-up windows you get sometimes when you open the Mail app? Well, Soucek created a tool that is capable of generating “slick iCloud password phishing emails” and produces a pop-up that matches the one we are accustomed to.

The fact is, he discovered the bug earlier this year and immediately informed Apple about it. Unfortunately, they didn’t respond to the bug report.

“Back in January 2015 I stumbled upon a bug in iOS’s mail client, resulting in HTML tag in e-mail messages not being ignored,” Soucek says.

“This bug allows remote HTML content to be loaded, replacing the content of the original email message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password ‘collector’ using simple HTML and CSS.

“It was filed under Radar #19479280 back in January, but the fix was not delivered in any of the iOS updates following 8.1.2.”

Soucek’s tool could allow scammers to collect your iCloud username and password, but they can customize it to collect whatever data they want to harvest.

He says the http-equiv tool targets victims only once by installing cookies on iDevices. Now that it’s been made public, we can only hope that Apple takes this flaw seriously. The bug is present in the latest version of iOS 8 as well, so you may want to think twice before entering your password into that pop-up window.

Technology enthusiast, rocker, biker and writer of Follow me on Twitter or contact me via email:

  • In cases such as this, I sleep easy knowing my account is secure under Apples two stage security. A text is sent to my phone with a varification code the hacker needs to log into my account.

  • Two step security is key nowadays, not just for Apple but google accounts too.