iOS dialogue box is a potential phishing channel, explains developer Krause

Last week, web developer Felix Krause has announced on his blog that Apple iOS was vulnerable to phishing attacks as he was able to “hack”, rather effortlessly, a popup from Apple prompting consumers to enter their passwords.  Krause emphasizes that such system loophole poses a problem as any individual with ill intentions can carry out extensive phishing attacks and gather substantial information on targets.

How Come?

Krause writes, “iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS operating system updates, or iOS apps that are stuck during installation.  As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases.”

It is important to specify that Krause proves a point by mimicking potential hacks and revealing a vulnerability in popular platforms.  No actual hacks via this method have been reported thus far.  Yet, it allows users to think critically.  If a web developer can reproduce a popup from Apple for the sake of raising awareness and democratizing information security, can you imagine the damage that can ensue if cybercriminals were to use such channel for phishing?

News outlets have tried to contact Apple for comments, to no avail, according to The Register, an online IT magazine.

In his blog-post, Krause suggests that users should verify the legitimacy of the sign-in dialogue box by clicking on the home button of the device (either iPhone or iPad) and see if the application and popup either stay open or disappear.  If the latter occurs, then Krause warns that users are facing a phishing attack.  He also suggests that users should not enter their credentials in the dialogue box; instead, they should locate the actual app and settings and manually input their credentials.

Implications for Information Security

This mock attempt brings to light various implications for cybersecurity.  Phishing attacks may involve the most esteemed apps and websites and pervasively infiltrate our digital routine.  Consequently, the need for effective awareness campaigns and methodologies promoting best practices for information security is vital to preserve our right to privacy and protect our businesses and public institutions.