Thursday, June 11, 2015 [Tweets] [Favorites]

iCloud Passwords in Mail, Device Passwords, and Safari Passwords

Dan Goodin:

The proof-of-concept attack exploits a flaw in Mail.app, the default iOS e-mail program. Since the release of version 8.3 in early April, the app has failed to properly strip out potentially dangerous HTML code from incoming e-mail messages. The proof-of-concept exploit capitalizes on this failure by downloading a form from a remote server that looks identical to the legitimate iCloud log-in prompt. It can be displayed each time the booby-trapped message is viewed.

“This bug allows remote HTML content to be loaded, replacing the content of the original e-mail message,” a user with the GitHub name jansoucek wrote in a readme file accompanying the exploit. “JavaScript is disabled in this UIWebView, but it is still possible to build a functional password ‘collector’ using simple HTML and CSS [cascading style sheets].”

Mitchel Broussard (comments):

Soucek says that Apple did not respond to his discovery of the bug when he stumbled across it back in January.

[…]

Soucek kept the details of the bug only between himself and Apple, letting the company have time to possibly fix the attack and inform him of its progress. Given the company’s remaining quietness on the subject, he decided to publish the proof of concept - called the Mail.app inject kit - on GitHub in hopes of spreading its awareness.

Cyrus Farivar:

As part of its iOS 9 announcement on Monday, Apple revealed that all newer iDevices equipped with TouchID and running the newer version of the operating system will be required to upgrade from a four-digit to a six-digit passcode. Passcodes remain optional, and users can create a more complex alphanumeric password, but six digits will be the minimum. After 10 failed attempts to type in the code, the device will erase itself.

Dan Thorp-Lancaster:

The issue up until now has been that web view hasn’t been allowed to store cookies for security reasons, so logins can’t persist. The solution that Safari view controller brings to the table is to essentially pull the information from Safari.

Apple:

You can use SFSafariViewController to display web content within your app. The Safari View Controller shares cookies and other website data with Safari, and has many of Safari’s features, like Safari AutoFill and Safari Reader. Unlike Safari itself, the Safari View Controller UI is tailored for displaying a single page, featuring a Done button that’ll take users right back where they were in your app.

Consider replacing your WKWebView or UIWebView-based browsers with SFSafariViewController if your app displays web content but does not customize that content.

3 Comments

"After 10 failed attempts to type in the code, the device will erase itself."

I sure hope that part is optional. If you have little kids you have little kids trying to guess your password to watch cartoons on Netflix. I put passcode on all our iDevices a while back to limit electronic use by the kids. Guess how many, when I pick them up, say I have to wait an hour to enter the password because of too many attempts? Yeah all of them.

"After 10 failed attempts to type in the code, the device will erase itself."

Be grateful The first beta had the device explode after 10 failed attempts.

[…] Previously: iCloud Passwords in Mail, Device Passwords, and Safari Passwords. […]

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment