In a proof-of-concept attack, a researcher has shown how a security flaw within the iOS mail client can be easily exploited to trick Apple users into handing over their iCloud passwords.

The flaw, which can be found in the default email program in the latest version of iOS for iPhone or iPad, fails to strip out potentially malicious code such as the < meta http-equiv=refresh > HTML tag in email messages. This could allow a clever phisher to remotely load HTML, replacing the original content of the email.


The researcher who discovered the bug showed how it could be exploited by downloading a form from a remote server that looks exactly like a legit iCloud log-in prompt. If such an email was opened and a victim input his or her password, a hacker could easily steal the details.

Here’s a video demonstration:

Apple’s OS has a tendency to randomly display iCloud login prompts anyway, and the exploit can be programmed to ask for a password only once, so as not to arouse suspicion. So, it’s not terribly difficult to imagine a slew of unsuspecting Apple users getting caught in this sort of phishing scheme.


The security researcher says he first reported the flaw to Apple back in January. Six months and no sign of a fix later, he decided to publish his exploit online. The strategy seems to be paying off: several days ago, Apple officials told Ars Technica that the company is now working on a fix for an upcoming software update.

In the meanwhile, if you’re an Apple user who hasn’t activated two-step verification, this would be a great time to do so.

[Ars Technica]