Update: Apple confirmed it’s aware of the issue and working on a fix:
“We are not aware of any customers affected by this proof of concept, but are working on a fix for an upcoming software update.”
If you are reading mail on your iPhone and iPad and a popup appears asking you to re-login to iCloud (or anything else), beware. Security researcher Jan Soucek discovered a bug in the iOS Mail app that allowed an attacker to run remote HTML code when an email is opened. That code could easily imitate an iCloud login prompt, fooling users into giving away their Apple ID credentials …
While Soucek uses iCloud as the demonstration – as it’s not uncommon for an iOS device to prompt people to login again – the same code could be used to imitate any website or service. It doesn’t have to be a phishing prompt for authentication either — any arbitrary HTML and CSS can run.
Soucek says that he first spotted the bug in iOS 8.1.1, filing a bug report with Apple. At that time, he kept the details to himself, allowing Apple time to fix the bug. Five months later, the company has still not done so, he said, and he therefore chose to make the code public to draw attention to the risk.
It was filed under Radar #19479280 back in January, but the fix was not delivered in any of the iOS updates following 8.1.2. Therefore I decided to publish the proof of concept code here.
Soucek has now uploaded proof of concept to the code-sharing site GitHub. While this serves to alert people to the existence of the flaw, and applies pressure to Apple to fix it in a future update, it also means the code is out there for anyone to use.
The safe course for now is to assume that any login popup that appears while using the iOS Mail app is malicious. If your iOS device does indeed need you to login again to iCloud or anything else, wait until prompted when not using Mail.