Hackers might have a new way to trick iPhone and iPad users into giving up their Apple passwords.
A bug said to be in the Mail application for iPhones and iPads allows a hacker to see a user’s password by mimicking a login window, according to a computer programmer who disclosed the vulnerability in a posting on the coding community GitHub.
A hacker can generate the fake login window by sending the target an email with certain coding in it. Users who then enter their password in the fake login window are sharing that information with the hacker.
Jan Soucek said in the GitHub post Sunday that he told Apple about the issue in January, but it had not been fixed. Apple and Soucek didn’t immediately respond to requests to comment.
Stealing login credentials doesn’t always require a bug, though. Sometimes, it just takes a normal-looking email that links to a fraudulent website. Last year’s leak of celebrities' nude photos, which had been stored on their Apple iCloud accounts, was believed to have stemmed from hackers using phishing emails to get the celebrities to hand over login information. Victims included Jennifer Lawrence, Kate Upton and Hope Solo.
Recently released federal court documents related to the investigation into the “Celebgate” leak doesn’t definitively name phishing as the culprit. But an FBI agent writes that phishing through email, text message or iMessage is a common way to “gain unauthorized access to a victim’s iCloud account.” From there, software that can be found online can be used to download the contents of the iCloud online storage system. As many as 900 accounts may have been compromised, according to the documents.
It’s all a reminder to users to be a wary of when typing in personal information.
Chat with me on Twitter @peard33