Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Serious Flaw in iOS Mail App Exposes Users to Phishing Attacks

The email client shipped with Apple’s iOS mobile operating system is plagued by a vulnerability that can be exploited to load remote arbitrary HTML content in the application, a researcher has warned.

The email client shipped with Apple’s iOS mobile operating system is plagued by a vulnerability that can be exploited to load remote arbitrary HTML content in the application, a researcher has warned.

Czech researcher Jan Souček published proof-of-concept (PoC) code and a video earlier this week to demonstrate his findings.

The expert discovered in January that the iOS email client (Mail.app) doesn’t ignore the <meta http-equiv=refresh> HTML tag in email messages. This allows an attacker to create emails that load remote HTML content when opened.

“JavaScript is disabled in this UIWebView, but it is still possible to build a functional password ‘collector’ using simple HTML and CSS,” Soucek said.

The researcher has published a video in which he shows how an attacker can send out a specially crafted email that prompts recipients to enter their iCloud credentials. The username and password collected from the victim are then sent back to the attacker.

Users noted on Hacker News that such an attack is likely to work against many internauts because it’s not uncommon for them to be asked to enter their iCloud credentials and the genuine dialog box designed by Apple is easy to replicate.

Souček has published the source code for an iOS 8.3 “inject kit” on GitHub. The expert has pointed out that this is just an example to demonstrate the existence of the vulnerability, which can be leveraged for other attacks as well, not just credentials harvesting.

“The vulnerability can be used for anything that requires HTML tags not supported by Mail.app,” Souček explained.

The researcher said he reported the flaw to Apple back in January via the company’s Radar bug tracking system. He has now decided to publicly disclose the vulnerability because Apple has failed to take any action.

It’s worth noting that Apple released the first iOS 9 Beta and iOS 8.4 Beta 4 this week, but it’s unclear if these versions address the vulnerability. Even if they do fix the flaw, these variants are currently only available to developers.

Independent security analyst Graham Cluley has pointed out that the code published by the researcher might be put to good use by malicious hackers and identity thieves.

“Although I can understand his frustration with Apple’s lack of response for fixing the issue, Soucek could have applied pressure to the company by demonstrating the flaw to the tech media, rather than releasing exploit code for potential misuse,” Cluley wrote in a blog post for Tripwire. “Meanwhile, as we wait for Cupertino to roll out a patch, it would be wisest to either exercise extreme caution whenever an unexpected pop-up appears while perusing our Mail inbox, or use a third-party email app instead.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.