by Dan Moren
iOS Mail flaw allows password dialog spoofing
Ars Technica’s Dan Goodin reports on a nasty new iOS vulnerability:
The proof-of-concept attack exploits a flaw in Mail.app, the default iOS e-mail program. Since the release of version 8.3 in early April, the app has failed to properly strip out potentially dangerous HTML code from incoming e-mail messages. The proof-of-concept exploit capitalizes on this failure by downloading a form from a remote server that looks identical to the legitimate iCloud log-in prompt. It can be displayed each time the booby-trapped message is viewed.
This is actually a surprisingly simple vulnerability, based as it is on HTML and CSS, but it also relies heavily on users being accustomed to iOS’s propensity of often presenting dialog boxes to enter their passwords, sometimes seemingly at random.
The fix for it is hopefully similarly simple, with Apple just being more vigilant about stripping out extraneous HTML and CSS. For now, Cupertino suggests enabling two-factor authentication, though it says its working on a patch. If you don’t want to go through the hassle of setting up two-factor authentication right now, the researcher who uncovered the flaw points out you can also generally hit Cancel without ill effect.