iOS latest vulnerability can be achieved“as real”iCloud password fishing-vulnerability warning-the black bar safety net

2015-06-12T00:00:00
ID MYHACK58:62201563531
Type myhack58
Reporter 佚名
Modified 2015-06-12T00:00:00

Description

! Recently a security researcher has released an exploit code. This code suggests that the attacker can be through enough to fake spurious fishing, easily stolen using the latest version of iOS iCloud password. The vulnerability principle This proof-of-concept attacks using the iOS default email program Mail. app of a vulnerability. Since the 4 beginning of iOS8. 3 version since its release, the app failed to from the received mail message in the appropriate culling contain potentially dangerous HTML code. This POC is the use of this vulnerability from a remote server to download a form, the form looks with the legitimate iCloud login prompt window is exactly the same. Whenever a user view contains the“trap”of the message, the fake login prompt window can be automatically displayed. GitHub a username for jansoucek people in the readme file is written the following description: “This vulnerability allows remote loading of HTML content, and may replace the original e-mail message content. Although this UIWebView JavaScript is disabled, but still it is possible by simple HTML and CSS to create a functional password collector.” In order to reduce it suspicious, the attacker can be programmed to achieve just pop up a password window. In order to make it look more real, the attack code using an auto-focus feature to ensure that once the user clicks the“OK”button, then the dialog box of the domain will be automatically hidden. However, in order to trigger the vulnerability required to do is only to make the messages sent to the user contains HTML tag. The vulnerability in addition to can be used to fishing the Apple user's password, but also can be used to send a“message”, this makes the email sender to know who viewed the email, when and to what IP address to view the message. Safety recommendations As an iPhone long-term users, this can be a serious vulnerability: because of the iOS system at unexpected times to display the login prompt is not uncommon. Security researchers had on Wednesday received such a“fishing tip”, and the attack time is only aware of the vulnerability before a few hours. Security researchers recommend that users encountered such a password when prompted, the user better not enter any account password, but directly press the Cancel button. By doing so, in most cases the user will not face any adverse consequences, in the worst case it is only again the pop-up prompt. It is worth mentioning that, when the user to the password prompt box, enter the password before, you should first make sure that this time did not view the e-mail. In addition, more experienced users can by pressing the home key to detecting this false message. Legal tips is“modal dialog”, which means that at the press of the OK or Cancel button before, it does not allow the user to perform any other operation. In contrast, the fake password prompt is not modal, so if the display password prompt box when you press the home button of the device to return to the main screen, then this indicates that the password prompt is not credible. Official Apple now no response According to the researchers of the message, he in 1 month to Apple Inc reported the vulnerability, but so far Apple refuses to provide bug fixes, and Apple has not been for the vulnerability to give any comments, but in iOS8. 4 will be expected to see to the vulnerability fix.