A bug in the standalone mail client for both iOS and OSX could enable an attacker to load external HTML and easily carry out convincing phishing attacks on unsuspecting users.
In fact, with a little HTML and CSS, an attacker could trick users into giving up their usernames and passwords, according to Jan Souček, a researcher based in Prague, Czech Republic.
Souček found the bug and reported it to Apple earlier this year, but after five months of radio silence and several software updates that failed to address the bug, he decided over the weekend it was time to post proof of concept code for the issue.
My first GitHub repo is up. Hooray! Now go, Apple, and fix the bug 😉 https://t.co/nw2IXGx80U
— Jan Souček (@jansoucek) June 7, 2015
The issue lies in the fact that Apple’s email client shows a HTML tag – <meta http-equiv=refresh> – that can’t be ignored. By replacing the content of an email message and loading external HTML content, an attacker could tweak what the victim sees and prompt them for a password.
After finding the bug in January, Souček filed a ticket (#19479280) with Apple via Radar, the company’s bug reporting tool. A few days later Souček added a video demonstrating the attack to the ticket, and eventually received a generic response from Apple stating the company doesn’t discuss the security of their products.
The video shows a popup in Mail rigged to like a legitimate login window. The window, marked “iCloud login,” is the same prompt that usually pops up when iOS users are experiencing activation/network issues. With this however, once a user enters their username and password, the information is forwarded along to the attacker, sight unseen.
Souček, who works in IT forensics, doesn’t normally look for vulnerabilities, but claims he does like to “poke stuff and see what happens next,” when reached by Threatpost Tuesday.
The issue actually borrows elements from a similar inject vulnerability, CVE-2014-4925, that surfaced in January. That bug in Good, an enterprise app for iOS and Android, allowed an attacker embed HTML into email headers. This could have allowed an attacker to launch a browser session and connect a user to a malicious website upon the opening the email.
When Souček heard about the bug, he sniffed around Apple’s mail client and discovered it was vulnerable to the same issue. He went on to use styles from Framework7, a mobile development framework, to mimic the native iOS modal dialog and the proof of concept was born.
“We are not aware of any customers affected by this proof of concept, but are working on a fix for an upcoming software update,” an Apple spokesperson told Threatpost Thursday, adding that the company is encouraging users to activate two-factor authentication if they haven’t already on their devices.
Souček believes it should be an easy fix.
“The obvious solution would be to ignore the meta refresh tag, just like so many other html tags…” Souček said, adding that someone on Reddit was able to come up with a fix in all of five minutes. That fix, put out by HASHBANG Productions, blocks any sort of navigation not invoked by the user and can only be added to jailbroken phones for the time being.
“I am all for private disclosures, but we always need to operate with an assumption that very few exploits are known only to the “good guys” before the hotfix is made available, therefore any longer period of inactivity by the vendor just puts more end users at risk,” Souček said.
“There is no excuse for Apple’s lack of action.”