iOS mail app exploit could expose users to phishing attacks

Heads up to anyone using iOS's Mail app: security researcher Jan Souček has found a serious vulnerability in the way the app handles inline HTML, allowing an attacker to load arbitrary web pages—including a simulated iCloud login prompt for phishing purposes. You can watch the proof-of-concept here:

The iCloud prompt is only one possible exploit. Other login prompts could also be emulated with a bit of HTML and CSS. As such, grabbing Google or Facebook logins might be only a step away.

For the curious, Souček has a GitHub repository with his sample code. He found this bug back in iOS 8.1.2, and reported it last January. However, Apple didn't fix it in subsequent updates. I'm guessing they will now.

Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.