A bug in the iOS Mail app could allow an attacker to run remote HTML code when an email is opened. The attack could be used to imitate an iCloud login to obtain a users Apple ID login information.
Security researcher Jan Soucek discovered a bug in the iOS Mail app that allowed an attacker to run remote HTML code when an email is opened. That code could easily imitate an iCloud login prompt, fooling users into giving away their Apple ID credentials …
The code could be used to imitate any website or service, or could run any arbitrary HTML or CSS code the attacker desires.
Soucek says he filed a bug report with Apple when he first discovered the bug in iOS 8.1.1. He kept the information quiet, in order to give Apple time to fix the bug. Now he says it’s five months later, and Apple still hasn’t fixed the issue, so he decided to let the public know about the risk.
“It was filed under Radar #19479280 back in January, but the fix was not delivered in any of the iOS updates following 8.1.2. Therefore I decided to publish the proof of concept code here.”
Soucek has uploaded a proof or concept to GitHub. While this alerts people to the existence of the bug, and brings pressure on Apple to finally fix the bug, it also means the bad guys now know about the code.
The best plan of action at the moment is to play it safe, and assume any login popup that you see while using iOS Mail is from the bad guys. If your iOS device really does need you to re-authenticate your iCloud or other login, wait until you’re prompted while you’re NOT using Mail.