{"id":19183,"date":"2017-10-10T13:34:10","date_gmt":"2017-10-10T17:34:10","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=19183"},"modified":"2017-10-11T14:38:47","modified_gmt":"2017-10-11T18:38:47","slug":"in-app-apple-id-password-phishing","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2017\/10\/10\/in-app-apple-id-password-phishing\/","title":{"rendered":"In-App Apple ID Password Phishing"},"content":{"rendered":"<p><a href=\"https:\/\/krausefx.com\/blog\/ios-privacy-stealpassword-easily-get-the-users-apple-id-password-just-by-asking\">Felix Krause<\/a> (<a href=\"https:\/\/twitter.com\/KrauseFx\/status\/917736396131061761\">tweet<\/a>, <a href=\"https:\/\/news.ycombinator.com\/item?id=15441537\">Hacker News<\/a>):<\/p>\n<blockquote cite=\"https:\/\/krausefx.com\/blog\/ios-privacy-stealpassword-easily-get-the-users-apple-id-password-just-by-asking\"><p>As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases.<\/p>\n<p>This could easily be abused by any app, just by showing an UIAlertController, that looks exactly like the system dialog.<\/p>\n<p>[&#8230;]<\/p>\n<p>Hit the home button, and see if the app quits:<\/p>\n<ul>\n<li>If it closes the app, and with it the dialog, then this was a phishing attack<\/li>\n<li>If the dialog and the app are still visible, then it&rsquo;s a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app.<\/li><\/ul>\n<p>[&#8230;]<\/p>\n<p>Initially I thought, faking those alerts requires the app developer to know your email. Turns out, some of those auth popups don&rsquo;t include the email address, making it even easier for phishing apps to ask for the password.<\/p><\/blockquote>\n\n<p>Previously: <a href=\"https:\/\/mjtsai.com\/blog\/2016\/12\/15\/macos-10-12-2-impedes-safari-bookmarklets\/\">macOS 10.12.2 Impedes Safari Bookmarklets<\/a>.<\/p>\n\n<p>Update (2017-10-11): <a href=\"https:\/\/twitter.com\/marcoarment\/status\/917763900816396288\">Marco Arment<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/marcoarment\/status\/917763900816396288\">\n<p>It&rsquo;s long past time that Apple removes the random password popups that plague iOS.<\/p>\n<p>They&rsquo;re a security flaw that should not exist in 2017.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/daringfireball.net\/linked\/2017\/10\/10\/ios-phishing\">John Gruber<\/a>:<\/p>\n<blockquote cite=\"https:\/\/daringfireball.net\/linked\/2017\/10\/10\/ios-phishing\">\n<p>I&rsquo;ve been thinking about this for years, and have been somewhat surprised this hasn&rsquo;t become a problem. It&rsquo;s a tricky problem to solve, though. How can the system show a password prompt that can&rsquo;t be replicated by phishers?<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Felix Krause (tweet, Hacker News): As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[707,31,1472,981,1200,48],"class_list":["post-19183","post","type-post","status-publish","format-standard","hentry","category-technology","tag-apple-id","tag-ios","tag-ios-11","tag-passwords","tag-phishing","tag-security"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/19183","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=19183"}],"version-history":[{"count":2,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/19183\/revisions"}],"predecessor-version":[{"id":19186,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/19183\/revisions\/19186"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=19183"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=19183"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=19183"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}