Mail Bug Creates Concern Among iPhone Users

Apple rallies from the front about how they place top priority on user security for Mac and all other products that run on iOS. They have been on the forefront of the technology race to develop new and exciting devices and software to empower users with the best at all times. However, they found themselves in a tight spot when an Ernst & Young security researcher claimed to have uncovered a flaw in the iOS 8.3 email app, which could lead to password theft from the iCloud service. Coming from a brand like Apple that places so much emphasis on the user experience, this vulnerability hit users out of the blue. The bug is so discreet that it would not be even remotely noticeable to the average user and this is why it has created such frenzy. A deeper look into the mechanics of the bug revealed some interesting facts.

Through a recently published proof of concept tool, internationally acclaimed researcher Jan Soucek was able to reveal how you could exploit iOS's mail application in a discreetly sophisticated manner so that the average user would not notice the bug even remotely. So what kind of damage are we actually looking at here?

Security Breach Explained

According to Soucek, the bug enables HTML content to be loaded remotely while the original email message is removed in its entirety. He went on to explain that although JavaScript is not enabled in this UIWebView, you can still build a "password collector" that works with standard HTML and CSS. The code would easily detect that the subject has previously visited the page with cookies and the password prompt is held back to avoid arousing the suspicion of gullible users.

Advanced Implications and How to Protect Yourself

Further analysis revealed that the field for password is enabled for autofocus so that it can mimic the original password prompt from Apple, giving the user complete assurance that nothing is out of order and everything is legitimate. In the current scenario, there's no way other but to assume that just about any pop up for login that comes is not safe and could very much be a threat to your security. In the scenario that your iOS device requires you to log in repeatedly to iCloud or any other application, it would be in your best interest to wait for the prompt when you are not using the mail application.

Industry experts like Michael Oh, who is the founding executive as well as chief technology officer for TSP, a team of specialists focusing on Apple technology, states that "although the threat is not really serious in perspective of confidential device data being stolen, it should be paid due attention since it involves the most current version of security issues that are the consequence of social engineering and cloud services combined."

What Kind of Damage are You Looking at

If somebody has access to your iCloud password, you stand to be at risk of losing tremendous volumes of data, to include contact lists, calendars, personal email accounts, and pictures. The consequences of such a breach could be terrible and even humiliating if the victim is somebody of reasonable clout. Apart from performing personal sabotage, the person breaking in could even purchase things online. It is a fact that advanced users would not be affected by this; however, it is also a fact that just about everyone else stands to suffer huge losses through such a breach.

Possible Motives and Consequences of the Bug

There is a lot of speculation with regards to the actual motive of somebody who takes advantage of this bug and the applications involved. Some industry experts believe that the bug is not going to be behind large scale phishing campaigns; rather it will be a tool for hackers who are targeting their actions on specific people such as celebrities to grab hold of their confidential content such as sensitive photographs. In the backdrop of the huge iCloud hacking debacle that focused on a lot of celebrities last year, Apple spun into action by providing a guide that helped users to authenticate the iCloud page they were visiting. The Chicago Sun-Times had reported that it was a flagged IP address that led FBI agents to the perpetrator of the hack and it led to a detailed investigation to reveal the mechanics of the breach.