If you're an iOS user, chances are, you've seen the screen above pop up multiple times throughout the time that you have used your device. Most would think nothing of it, simply just type in your password and move on. While both look identical, one is actually a proof of concept exposing a loophole that has been present in iOS for years. As you can gather, this loophole could be easily used to gather user's password just by spoofing the sign-in popup.
Felix Krause has brought this issue to light and has shared it on his website for the sake that, hopefully, Apple will take notice and close the vulnerability. According to Krause, the phishing attack works because iOS users have grown accustomed to the prompt, and think nothing malicious of it. But, using the vulnerability, any coder could take advantage of it, making it an easy way to gain access to vital information.
So how does one detect if something like this is happening to them? Simply hit the home button and see if the dialog box goes away. If it does, then it was most likely a phishing attempt. If it remains on the screen, it is most likely a proper prompt since it runs independently from apps and is attached to a different process.
Krause not only exposes the issue but also has suggestions on how this and other mobile phishing tactics might be thwarted. Again, if you are concerned, it would be wise to check out all of the details on his site, which can be done on the link below.
Source: Felix Krause
9 Comments - Add comment