News Categories

You could inadvertently reveal your iCloud password because of an iOS flaw

By Ian Chee & Koh Wanzi - on 11 Jun 2015, 6:07pm

You could inadvertently reveal your iCloud password because of an iOS flaw

Dangerous HTML code embedded in incoming emails could call up spurious dialogue boxes that prompt you to reveal your iCloud log-in credentials. (Image Source: Ars Technica)

With all the attention surrounding software security flaws and backdoors these days, it’s easy to forget that sometimes the biggest security weakness is human fallibility. A Github researcher called “jansoucek” has discovered a flaw in iOS that can be exploited to trick users into giving up their iCloud passwords.

The latest version of iOS 8.3 apparently doesn't filter out some shady HTML code that could be embedded in incoming emails. No ultra-sophisticated hacks here, just some simple code that calls up a remote HTML form that looks identical to the iCloud log-in window. And if you fall for it and enter your iCloud username and password into the field and hit “OK”, that’s your iCloud account compromised right away.

Fortunately, there are ways to tell the fake form apart from the real one if you’re careful. For instance, the predictive keyboard mode apparently doesn’t turn off like it does with the real log-in dialogue box. The fake log-in window can also be dismissed by simply hitting the Home button on your iPhone, which wouldn’t have worked if it was the real deal.

These things may only be apparent to the eagle-eyed observer, and it’s slightly scary to think how easy it would be to give up your log-in credentials if you weren’t thinking. So watch out people, lest you get embroiled in your own iCloud hacking scandal, sans Jennifer Lawrence.

Source: Jansoucek via Engadget