A security researcher, called Jansoucek has published a proof-of-concept video online, in which they demonstrate how simple it is to create a fake Apple ID login screen in order to steal user passwords.

Jansoucek released the “proof-of-concept” video in order to bring the issue once again to Apple’s attention; so that they increase security levels accordingly. Jansoucek found this flaw in January, however Apple failed to address the issue in any following iOS updates.

The bug exploits a flaw in Mail.app, the default iOS email program where the app has failed to properly strip out potentially dangerous HTML code from inbound emails.  As a result of this, using simple computer language, hackers can make a fake login page.

Jansoucek wrote: “this bug allows remote HTML content to be loaded, replacing the content of the original e-mail message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password ‘collector’ using simple HTML and CSS.”

This vulnerability falls after the dramatic iCloud hack last year, where celebrity nudes were leaked and Apple promised to prioritise user security.

During a recent interview, an Apple spokesman stated that “We are not aware of any customers affected at this current time”, he also added that “We are working on fixing in the problem in an upcoming software update”.

Leave a Reply

Your email address will not be published. Required fields are marked *