Apple has proven the industry many times over that the security behind their technologies is far above the standards but several instances of malware attacks have proven that Apple is not as safe as it touted itself to be.
In a new demo, a software developer showed a potential phishing attack on iOS targeting iCloud and iTunes passwords. The test has successfully stolen passwords through a fake iOS system dialogue.
Also read: Canadian university lost US$9m in phishing attack
Felix Krause has shown a possible phishing activity wherein he took control of a user's iCloud account and Apple ID. As demonstrated, Krause has gained credentials through a bogus iOS system dialogue which looks almost the same to the original. Once the user gives his/her credentials through the fake dialogue, it becomes an opportunity for the culprit to copy the email and password.
The dialogue made by Krause looks exactly like Apple's so it could be hard to spot the difference if users are not aware of it. Purchases done via iTunes or App Store can be a good entry point for hackers to steal credentials.
Krause has underscored in his blog post on Tuesday, October 10 that any app can take advantage of this vulnerability. For example, the UIAlertController dialogue box app can seamlessly copy Apple's stock dialogue box, a sporting chance for cybercriminals to use it to steal personal information of users.
"Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it's literally the examples provided in the Apple docs, with a custom text," stated Krause. "I decided not to open source the actual popup code, however, note that it's less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code."
To distinguish a fake dialogue box, try hitting the Home button while it is open. If it closes the app, there is a big chance of a phishing attack.
