There has been a recently discovered bug that affected iOS 8's Mail app. The bug has been discovered by Twitter user Jan Soucek. This iOS 8 Mail bug basically enables people who are up to no good to easily phish your iCloud login details, and you won’t even know that something has gone wrong. With the bug, remote HTML content can be loaded in place of the original email content, the victim will then be prompted with a fake iCloud login popup that looks very similar to the one with iOS.
Ars Technica has provided an in-depth breakdown of the said bug, but here are the main takeaways:
- You receive an email and you open it.
- An iCloud login popup asks for your information.
- Not suspecting anything, you type in login details.
- The popup goes away and you go about with your day.
- Your iCloud information is now with whoever’s responsible for the phishing.
How to Protect Yourself From Phishing Attacks in iOS 8 Mail App:
Although it’s unlikely that you will be targeted by these phishing emails, you just be too sure these days. Here are some tips that will help you spot phishing attacks.
- The legit popup iCloud window, by default, will have the username field filled in and can’t be edited. Fake iCloud login windows will require you to enter your username and password. Check out the image below for a comparison.
- Fake popups can be dismissed by pressing the Home or Touch ID button. A legitimate iCloud login window can’t be dismissed that way but only by tapping "OK" or "Cancel".
- Attacks of this kind will usually happen while in the Mail app. So if you just got an iCloud login popup while in the Mail app, you should be wary. Anyway, it’s unlikely that you will be asked to authenticate your iCloud password while in the Mail app.
- With an authentic popup, the keyboard will automatically appear. The fake one will require the user to click the fields before the keyboard appears.
- The real popup can’t be moved around which can’t be said with the fake one.
Keep in mind that this is merely a proof-of-concept but it won’t hurt for you to take heed. Ars Technica has reached out to Apple and the company has stated that no users have been affected by such attacks but they will be working on a fix which should come with the next update. [via WonderHowTo]Contact Us for News Tips, Corrections and Feedback