New iOS Phishing Attack Could Trick You Into Giving Away Your Apple ID Password

Here’s something that all iOS users need to pay attention to. A new blog post from developer Felix Krause explains how the popup which iOS users are familiar with to enter their password could be used to easily trick someone into handing over their Apple ID and password. It’s apparently easy to emulate and while he hasn’t published code that allows one to do this, it is likely going to be in the wild in short order. Now he’s filed a bug report with Apple, but here’s what you should do to protect yourself. From his post:

  • Hit the home button, and see if the app quits:
    • If it closes the app, and with it the dialog, then this was a phishing attack
    • If the dialog and the app are still visible, then it’s a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app.
  • Don’t enter your credentials into a popup, instead, dismiss it, and open the Settings app manually. This is the same concept, like you should never click on links on emails, but instead open the website manually
  • If you hit the Cancel button on a dialog, the app still gets access to the content of the password field. Even after entering the first characters, the app probably already has your password.

I recommend reading Krause’s full explanation of this phishing method on his blog. Hopefully Apple reads it too and does something about this in short order.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: