Apple ID passwords may be vulnerable to iOS phishing attacks | Inquirer Technology

Apple ID passwords may be vulnerable to iOS phishing attacks

/ 06:13 PM October 11, 2017

INQUIRER.net stock photo

Mobile app developer Felix Krause recently revealed a vulnerability in iOS which may put users’ passwords at risk.

Krause detailed on a personal blog post how attackers could use pop-up dialogue boxes as phishing attacks to trick a user into giving their Apple ID password voluntarily.

Article continues after this advertisement

Phishing attacks are attempts by hackers to obtain sensitive or personal information through the use of malicious software. Information like passwords, credit card details and more.

FEATURED STORIES

Looking at a side-by-side screengrab comparison, there appears to be no difference between the legitimate pop-up and the phishing attack pop-up.

Image: Felix Krause

Krause had created a proof-of-concept app to show the security vulnerability in iOS. He explained that the only way to distinguish the fake pop-up from the real one would be through pressing the “home” button.

Article continues after this advertisement

Pressing the home button would cause the fake pop-up to close together with whatever app it appeared on. For example, if the fake popup appeared while the user was playing a game, pressing the home button would close the game and the pop-up.

Article continues after this advertisement

On the other hand, a legitimate system pop-up asking for the user’s password would not close after pressing the home button. He explained that this was because a real system pop-up ran on a different process from a standard app.

Article continues after this advertisement

Krause also noted that spoofing a system pop-up was relatively easy. It had less than 30 lines of code and every iOS engineer would be more than capable to quickly build their own phishing code.

As for the solution, Krause proposed for app pop-up dialogue boxes to include the app’s icon. This he believes would help identify an app pop-up from a system pop-up, and ultimately a fake pop-up from a real pop-up.

Article continues after this advertisement

He also recommended that users should use 2-factor verification to increase security. If an attacker got hold of one password, he would have to go through a different security process to complete the attack.

Finally, Krause believes users should not be constantly asked for credentials in the first place to help prevent exploitation of this vulnerability. JB

RELATED STORIES:

iOS 11 Control Center Wi-Fi, Bluetooth shortcuts may be security risk, say experts

iPhone X may earn Samsung more money than Galaxy S8 — report

Your subscription could not be saved. Please try again.
Your subscription has been successful.

Subscribe to our daily newsletter

By providing an email address. I agree to the Terms of Use and acknowledge that I have read the Privacy Policy.

WATCH: Apple’s Siri belts out Queen’s ‘Bohemian Rhapsody’

TOPICS: Apple iOS, proof of concept
TAGS: Apple iOS, proof of concept

Your subscription could not be saved. Please try again.
Your subscription has been successful.

Subscribe to our newsletter!

By providing an email address. I agree to the Terms of Use and acknowledge that I have read the Privacy Policy.

© Copyright 1997-2024 INQUIRER.net | All Rights Reserved

This is an information message

We use cookies to enhance your experience. By continuing, you agree to our use of cookies. Learn more here.