A vulnerability has been discovered in Apple's iOS mail client which could enable an attacker to load external HTML and easily carry out convincing phishing attacks on unsuspecting users. Several ID accounts are tied to many different applications within iOS including iCloud, Apple's AppStore as well as the user's iTunes account. Several others are present in third party applications. Successful exploitation of this vulnerability could result in the attacker harvesting any user account sought after.
- Apple iOS 8.0 and above
A vulnerability has been discovered in Apple's iOS mail client that can lead to a user giving up their Apple ID account. The vulnerability exploits a bug in the operating system's native email client to produce a realistic pop-up of which Apple users are accustomed to. Anyone with access to it can customize the attack to ask for whichever username and password credentials they feel the need for.
As of the publishing of this advisory, this cannot be prevented with New York State's mobile device management platform. If you think an account has been compromised and would like assistance please call the New York State Cyber Security Operations Center at the number below.
We recommend the following actions be taken:
- Do not enter credentials into the pop up box should you receive an email asking for it
- If you think you were compromised immediately use Apple's password reset procedure to change your password.