A Trojan horse to phish iCloud passwords lurks in an iOS Mail bug

A researcher finds that Mail in iOS improperly filters HTML, allowing a pop-up menu to appear that closely mimics the iCloud log in.

phish fake icloud login

Don't trust its innocent face.

When we get complacent, we get bad about security. The more we’re prompted by something irritating that can be dismissed only by entering a password again, the more likely we are to not pay attention to what’s asking. I speak, of course, of Apple’s seemingly random and sometimes frequent iCloud login popup messages in iOS.

A vulnerability of sorts has been uncovered in HTML handling in Mail in iOS that leverages our desire to ignore a message by just giving it what it wants. It’s not an exploit that allows remote control or system access. Rather, it’s a form of Trojan horse that engages in phishing, fooling the unwary and the wary alike into entering a credential in an illegitimate place that can be used elsewhere.

The person posting the vulnerability, Jan Souček, says it was reported in January to Apple (though he filed a bug rather than use Apple’s security reporting email). And a video was posted in January that shows the problem. Souček confirmed via Twitter that Apple’s security team has been aware of the issue since January.

ios9 two factor login screen

Using two-step authentication would protect you from this bug, and Apple plans even more robust support in iOS 9.

An Apple spokesperson said, “We are not aware of any customers affected by this proof of concept, but are working on a fix for an upcoming software update.” Apple confirmed that two-step verification for an Apple ID would deter this particular phishing attack, as it does others, by requiring an attacker to use a second element that they cannot gain access to remotely. (Apple plans more robust, native two-factor authentication support in iOS 9.)

Stop the popover

After I restore or upgrade iOS, and sometimes after I restarted it, I’m flooded by what feels like spurious login dialogs to iCloud, iMessage, and other services. This is in part because I have two Apple IDs associated with Apple cloud stuff since the company can’t manage to let us merge accounts and purchases. An older Apple ID is used with iCloud sync, a newer one with iTunes purchases.

Sometimes, I have to enter what seems to be the same password for the same account 6 to 10 times before the dialogs stop pestering me. That’s bad system design, and something I hope that Apple is working on with iOS 9. Credentials for the same resources should be pooled over short periods of time rather than requested repeatedly, even if a second factor is required.

The phishing attack developed by Souček and posted a few days ago in a code repository, and first reported on by Dan Goodin at Ars Technica on Wednesday, takes a clever approach to leverage a flaw in Mail. (Goodin reported that this weakness appeared in iOS 8.3 in April, but the video dates to January, which is when the developer confirmed he filed a bug report.)

The Mail app can render HTML, but—like all email apps that display rich messages—it filters out some kinds of tags and content that are either irrelevant within an email message or could be used for nefarious purposes. Souček employs a commonly used tag that’s put in the header portion of an HTML page or template to redirect a user to another page, either instantly on load or after a defined delay. That’s what you see when a page says, “This resource has been moved” or other jazz, and “please wait X seconds.”

Mail fails to filter out the refresh request, which allows the malicious HTML email to load a page that has the full panoply of HTML available. Email clients that aren’t vulnerable, which include webmail and native ones, won’t process the reload. Those that do will load what looks precisely like a modal iCloud login dialog prefilled with the email address to which the phishing message was sent.

While Mail will parse and allow forms within messages, making this phishing attack possible without a reload, having the email message load and then an overlay appear with an ostensible popup dialog has more of a feeling of plausibility. We’re used to seeing that behavior.

To exploit this combination of factors, you have to view a message that employs this technique. With iCloud’s spam filtering, which would likely quickly key into common factors (like the header tag information), few might get through.

Read the signs

An observant user would notice the following should such a message appear:

  • The message appears only in the email portion of the Mail app.

  • Scrolling the email scrolls the dialog.

  • The keyboard doesn’t automatically appear, even though the focus (where the cursor is positioned) moves to the form password field.

  • When you tap the field and the keyboard then appears, the word Go appears for submission, like a form.

  • Pressing Home dismisses the dialog, which isn’t the case with a true login message.

Dear Reader, you might smile to yourself and think, “I would never be fooled by this.” But then I would ask you to look in your wallet or purse and find the playing card I have placed within it! Is the eight of clubs? While you were looking, I replaced your regular security with Folger’s Instant Security.

My nonsense is just to say that we, even smug little me, think that we are too sophisticated to be phished in such a way, and then I try to recall the last time I saw an iCloud login dialog—and did I simply fill it in without looking for signs of fraud? (I have two-step verification enabled, so it’s for naught to phish me for most purposes; most iCloud users do not.)

By showing us the same thing unnecessarily often, Apple trains us to respond by rote. Reducing security prompts by consolidating the need for them—like taking one blood draw from a patient for a dozen tests instead of a dozen jabs—improves user attentiveness.

This flaw should be easily repaired. I hope Apple will slip it into iOS 8 before it dead-ends that version. But it should also rethink how it legitimately gathers approval from us. Phishing only works when it resembles something we can’t bother to pay attention to.

Subscribe to the Best of Macworld Newsletter

Comments