Apple News
Now Reading
Beware of your personal info: Hackers found a loophole in iCloud’s security
0

Beware of your personal info: Hackers found a loophole in iCloud’s security

by Raoul Celdran2015/06/12

 

Apple’s reputation of being more secure as compared to Android might not be the same again. Recently, hackers seem to have been attacking iPhone and iPad users. Jansouceket, a GitHub user, discovered the vulnerability in the iOS since January and lately reported it to Apple. Jansouceket is a white hacker that demonstrated how an attack code could be used in the devices Mail app to penetrate confidential information, including iCloud login prompt.

This early April 2015, since Apple released iOS 8.3, the systems, Mail App stopped preventing dangerous HTML code for the email recipients. One of those lines instructs the Mail app to execute a code remotely. The code commands your computer to produce a form box that mimics the iCloud login form. If the user without any suspicion tries to login, then they are welcoming hackers to start phishing information from what they will acquire from the users login information on the fake iCloud form and they will be able to get more information from the users real iCloud account.

Jansoucek cites that JavaScript is being disabled in this user interface, but it is still possible to build this key logger using HTML and CSS (cascading style sheets).

[wpbeautify-video src=”https://www.youtube.com/watch?v=9wiMG-oqKf0″ skin=”skin5″ width=”700″ autoplay=”true”]

As Jansoucek indicates that the HTML code injection can disable JavaScript, it also disables the security and the duty that JavaScript should do to prevent those malicious email popups. The matter can be worse if the user opens the same email again, the code doesn’t execute the same way again to avoid being suspicious, but whatever it is the hackers can leave a cookie to track every move the user does, so anytime the hacker can attack in a different way to get information again.

However, there is a way to be extra cautious to this attacks. Firstly, the box asks for both your Apple ID and password while the real iCloud only ask for your password since your username is already being displayed. Second of all, the box shouldn’t be a modal, so if users were completely familiar with the real iCloud, they would not fall for this kind of trap. Now we know that the attack is not that perfect. Therefore, this kind of situation can be avoided by being aware and cautious when using the Email app.

Overall, this differences will not be easily noticed at the first time. But being aware of the signs right now could help avoid similar situations that may arise in the future.

Leave a Response