A security researcher claims to have developed a way to send iCloud users fake phishing emails that, by exploiting a security bug in Apple's mobile operating system, could make millions of customer passwords vulnerable.
Researcher Jan Soucek has built an iOS 8.3 Mail.app inject kit that exploits a bug in the Apple mobile operating system's native email client to produce a realistic pop-up that looks just like the kind of messages Apple users normally see when they're asked to enter their password.
Soucek has published his tools on GitHub and says it is a better phishing tool than using a form directly within an HTML email because it targets only users of the iOS app and allows changes to be made to already live phishing campaigns.
You can alsocheck the POC demonstration of the Mail.aap in a video
Soucek had reported the issue to the Apple team in January, but unfortunately, he didn't get any response from Apple. Apple security team had also not confirmed the security bug till yet.
Soucek says -
"This bug allows remote HTML content to be loaded, replacing the content of the original email message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password 'collector' using simple HTML and CSS."Apple's team has not commented on this report, but this issue once again shows how easily scammers and hackers perform Phishing attacks on Apple's users.
Soucek has published his tools on GitHub and says it is a better phishing tool than using a form directly within an HTML email because it targets only users of the iOS app and allows changes to be made to already live phishing campaigns.
You can also
For some reason, the PoC video has been removed from YouTube.
Last time, iCloud hacked was headlined for several media, where thousands of celebrities private photos were leaked under a campaign called "The Fappening "