Security researcher Jan Soucek has discovered a potential flaw in the iOS Mail app that could trick users into revealing their password. A report in 9to5mac says, “allowed an attacker to run remote HTML code when an email is opened. That code could easily imitate an iCloud login prompt, fooling users into giving away their Apple ID credentials.”
On his GitHub page, Soucek reveals, “Back in January 2015, I stumbled upon a bug in iOS’s mail client, resulting in <meta http-equiv=refresh> HTML tag in e-mail messages not being ignored. This bug allows remote HTML content to be loaded, replacing the content of the original e-mail message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password “collector” using simple HTML and CSS.”
He goes on to add that the bug was filed under “Radar #19479280 back in January, but the fix was not delivered in any of the iOS updates following 8.1.2. Therefore I decided to publish the proof of concept code here.”
You could watch the video here:
