iOS Phishing Attack Demo Shows How Your iCloud Or iTunes Password Can Easily Be Stolen
Developer Felix Krause has shared a concept phishing attack in which an attacker could theoretically gain control of a user’s Apple ID and iCloud account by displaying a bogus iOS system dialog in which credentials for those accounts are simply requested of the user.
The dialog created by Krause looks almost identical to the real thing and would be difficult to distinguish, leading people to simply enter their credentials without pause.
The phishing attack is made possible thanks to the way iOS users have become accustomed to being asked to enter their credentials on iPhones and iPads at seemingly random intervals, whether they are making a purchase via the App Store or iTunes app. This means that if someone is inside any other app and receives the prompt to enter their credentials they are unlikely to question it as, unfortunately, it has become almost commonplace for iOS to ask a user to log in for apparently no reason.
To make things worse, the UIAlertController dialog box emulates a system dialog surprisingly well, and allows an app mimic a real iOS request.
Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it’s literally the examples provided in the Apple docs, with a custom text.
I decided not to open source the actual popup code, however, note that it’s less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code.
Apple has been made aware of the issue and a suggestion to users is that they simply press the Home button whenever they are asked for credentials in this fashion. If the request is legitimate then the dialog box will remain on-screen even after the app behind it has closed. If not, then something is amiss and the app is doing things it should not.