Flaw in iOS Mail App

Friday, June 12, 2015 @ 03:06 PM gHale

Apple is aware its iOS mobile operating system email client has a vulnerability that can load remote arbitrary HTML content, a researcher said.

Czech researcher Jan Souček published proof-of-concept (PoC) code and a video earlier this week to demo his findings.

Phishing Continues Growth Pattern
Chrome Exploit Changes DNS Servers
Financial Institution Attacks Uncovered
Warding Off EU’s Sophisticated Attacks

Souček found the iOS email issue in January. Apparently the (Mail.app) doesn’t ignore the HTML tag in email messages. This allows an attacker to create emails that load remote HTML content when opened.

“JavaScript is disabled in this UIWebView, but it is still possible to build a functional password ‘collector’ using simple HTML and CSS,” Souček said.

Souček published a video where he shows how an attacker can send out a specially crafted email that prompts recipients to enter their iCloud credentials. The username and password collected from the victim then end up sent back to the attacker.

Souček published the source code for an iOS 8.3 “inject kit” on GitHub. He said this is just an example to demonstrate the existence of the vulnerability, which can end up leveraged for other attacks as well, not just credentials harvesting.

The researcher said he reported the flaw to Apple back in January via the company’s Radar bug tracking system. He has now decided to publicly disclose the vulnerability because Apple has failed to take any action.

“It was filed under Radar #19479280 back in January, but the fix was not delivered in any of the iOS updates following 8.1.2,” he said. “Therefore I decided to publish the proof of concept code here.”

Apple released the first iOS 9 Beta and iOS 8.4 Beta 4 this week, but remains unclear if these versions address the vulnerability. Even if they do fix the flaw, these are currently only available to developers.