Proof of concept phishing attack mimics iOS popups to steal user passwords

Posted:
in iPhone edited October 2017
Demonstrating a potentially glaring iOS security hole, developer Felix Krause created a proof of concept phishing attack that takes advantage of system popups, and the way users interact with these messages, to steal Apple ID credentials.




Detailing the method in a blog post on Tuesday, Krause notes Apple's iOS prompts users to enter their iTunes password, or Apple ID password, on a rather frequent basis. Whether it be an app download, firmware update or authentication for in-app purchases, the credential-seeking popups have for many become part of the iOS experience.

With requests pervading iOS, and an inherent trust that the requests are legitimate, Apple has inadvertently trained users to hand over their password without scrutiny. This behavior, combined with some handiwork on the part of malicious developers, presents a real security threat, Krause says.

The developer notes a simple UIAlertController, carefully crafted to mimic Apple's system dialog, can be employed in a successful phishing attack. As seen in the screenshot above, Krause was able to create a phony password request popup that would likely fool a large number of iOS users.

Further, while some alerts require an app to know a user's email address, others authorization popups do not.

Though the loophole has been a known problem for some time, Krause has decided not to reveal the source of his crafted popup. However, the developer said it was "shockingly easy" to replicate Apple's official dialog, noting the project comprised less than 30 lines of code.

Krause points out that an app containing such code is unlikely to make it through the App Store approval process, but developers can use a number of -- unsanctioned -- workarounds to execute malicious code after their title goes live.

While there is no surefire way to defend against the popup phishing attack, users can protect themselves by exercising caution when handing over sensitive information.

For example, users can test whether a dialog is legitimate by pressing the home button when presented with a suspicious app, Krause says. If the action closes the app and dialog, the popup can be determined to be a phishing attack and not a legitimate Apple system process.

Krause suggests users refrain from entering credentials into popups altogether. Instead, users should dismiss suspicious dialogs and enter password information in the Settings app. Two-factor authentication might protect against some attacks, but crafty developers can get around the password and code protocol using phishing methods similar to those described above.

In a radar filed to Apple, Krause proposes iOS should indicate whether a dialog originates from a system request or an app request. He also suggests all password requests be handled in the Settings app, not through direct popups.
«1

Comments

  • Reply 1 of 23
    So, write a javascript code to display a Sign-In required dialog, put it on a website [email protected] and expect the users enter their iCloud passwords into that dialog. Kids would ROFL to that... 
    edited October 2017 cornchip
  • Reply 2 of 23
    As long as people are using passwords, this will always be a problem. This is why Touch ID exists.
    cornchipairnerdjony0
  • Reply 3 of 23
    Maybe iOS could have a phrase or image that the user picks for valid system notifications?

    Just a thought.
    anton zuykovairnerdjony0
  • Reply 4 of 23
    Password in settings is no good - I want to be prompted for my password so my niece and nephew don't change/buy things.   The app dialogs should be different to the system ones.  I've never liked the system dialogs - but it'll be 'safer' to change the 'app dialog' apearence (e.g. Have the app name appear somewhere there).
    cornchipairnerdjony0
  • Reply 5 of 23
    I've very recently seen this happen and suspected it was malware! Because it happened as some devices were updating to iOS 11 and new versions of iTunes, I gave it the benefit of the doubt but now I need to go back and sort this.
  • Reply 6 of 23
    MplsPMplsP Posts: 783member
    So is this a case of javascript being able to 'hijack' the system dialog box or simply copy it? This problem is not necessarily unique to iOS - any operating system could have the problem (in fact I remember similar attacks on windows computers several years ago.) 
    airnerd
  • Reply 7 of 23
    Rayz2016Rayz2016 Posts: 4,461member
    This has been a problem for every single operating system since the beginning of time. Must be a slow click day. 
    airnerd
  • Reply 8 of 23
    Very Old Fake News. A 3rd party app never knows your name or apple id, therefore a attacker can't create a popup that knows your name and/or your id.
  • Reply 9 of 23
    Rayz2016 said:
    This has been a problem for every single operating system since the beginning of time. Must be a slow click day. 
    Yes, remember playing with the idea on my University VAX back in the early 80s :wink: 
  • Reply 10 of 23
    Grimzahn said:
    Very Old Fake News. A 3rd party app never knows your name or apple id, therefore a attacker can't create a popup that knows your name and/or your id.
    That is why the article said the pop up sometimes required your email address 
  • Reply 11 of 23
    Rayz2016 said:
    This has been a problem for every single operating system since the beginning of time. Must be a slow click day. 
    So have bank robberies.  It doesn't mean that banks ignore the risk.  

    This one is quite obviously a huge one that Apple needs to address...   What good is password if a hacker can get it with just 30 lines of code?
  • Reply 12 of 23
    mike1mike1 Posts: 1,764member
    He hasn't found a flaw in iOS, he found a flaw in people.
  • Reply 13 of 23
    technotechno Posts: 676member
    Grimzahn said:
    Very Old Fake News. A 3rd party app never knows your name or apple id, therefore a attacker can't create a popup that knows your name and/or your id.
    Very wrong. I just recently saw this happen. My friend had just updated to iOS 11, although this has nothing to do with it, other than making the user think it was connected. In his normal everyday use a system dialog appeared asking for his Apple ID password. He put it in because like most average users, they would not ever suspect it is not a legit system alert. Within a day or so, his iMac had a lock screen telling him he had to put in his "system lock PIN code" in order to unlock his Mac. Below the area for the PIN was some text telling him to write to a non Apple email address. At this point, he knew something was wrong. 

    You leaped to the wrong conclusion. The 3rd party app does not know your info. Look at the screen shot in the article. It does not mention their Apple ID nor does it validate the password when put in. It merely captures it. The hacker then logs into your iCloud account and locks the device with a message to email them. Once you do, they tell you to pay to unlock it.

  • Reply 14 of 23
    airnerdairnerd Posts: 591member
    This has always been something that could happen.  HOWEVER, the most important part of the article is the "press home button" information on how to determine legitimacy.  

    Good article in that it announced a potential problem, listed how unlikely it is, and told how to best avoid it.  Would only ask that the solution to avoid it paragraph be bolded or something for those of us that scan through these quickly. 
  • Reply 15 of 23
    netroxnetrox Posts: 681member
    techno said:
    Grimzahn said:
    Very Old Fake News. A 3rd party app never knows your name or apple id, therefore a attacker can't create a popup that knows your name and/or your id.
    Very wrong. I just recently saw this happen. My friend had just updated to iOS 11, although this has nothing to do with it, other than making the user think it was connected. In his normal everyday use a system dialog appeared asking for his Apple ID password. He put it in because like most average users, they would not ever suspect it is not a legit system alert. Within a day or so, his iMac had a lock screen telling him he had to put in his "system lock PIN code" in order to unlock his Mac. Below the area for the PIN was some text telling him to write to a non Apple email address. At this point, he knew something was wrong. 

    You leaped to the wrong conclusion. The 3rd party app does not know your info. Look at the screen shot in the article. It does not mention their Apple ID nor does it validate the password when put in. It merely captures it. The hacker then logs into your iCloud account and locks the device with a message to email them. Once you do, they tell you to pay to unlock it.

    How is the iOS update connected to the iMac MacOS? It looks lke the user downloaded a malware on his Mac. 

  • Reply 16 of 23
    techno said:
    Grimzahn said:
    Very Old Fake News. A 3rd party app never knows your name or apple id, therefore a attacker can't create a popup that knows your name and/or your id.
    Very wrong. I just recently saw this happen. My friend had just updated to iOS 11, although this has nothing to do with it, other than making the user think it was connected. In his normal everyday use a system dialog appeared asking for his Apple ID password. He put it in because like most average users, they would not ever suspect it is not a legit system alert. Within a day or so, his iMac had a lock screen telling him he had to put in his "system lock PIN code" in order to unlock his Mac. Below the area for the PIN was some text telling him to write to a non Apple email address. At this point, he knew something was wrong. 

    You leaped to the wrong conclusion. The 3rd party app does not know your info. Look at the screen shot in the article. It does not mention their Apple ID nor does it validate the password when put in. It merely captures it. The hacker then logs into your iCloud account and locks the device with a message to email them. Once you do, they tell you to pay to unlock it.
    Malware can be distributed via ads. Safari's "Open safe files after downloading" option is unchecked by default. But if it is somehow left checked, simply browsing a web page with malware embedded in an ad would download and open the malware in a blaze. Any executable file downloaded that way is first caught by macOS Gatekeeper. It asks you whether you want to open that application from an unknown developer. If Gatekeeper is disabled or non-existent in an old version of OS X, macOS still asks whether you want to open that application the first time on this Mac. If again you accept that without checking, then you may be vulnerable to any phishing attempts to catch your password afterwards.

    Lesson to learn: always use the latest version of macOS, and enable 2-factor authentication in your AppleID account. 2-factor authentication will send a PIN code to one of your trusted devices as the second verification step after entering your correct password.
  • Reply 17 of 23
    cgWerkscgWerks Posts: 1,761member
    When I changed my email address associated with my Apple ID, I was constantly being asked to re-authenticate all over the place in iOS. When I move from my iPad to my newer iPhone SE, the problems seemed to go away. But, I could see someone easily getting fooled by something like this given Apple's sloppy way the OS asks for authentication.

    Apple ID authentication should be setup ONLY in the Settings, and then verified via Touch ID. All the Apple Apps should reference that or make the user go back there. There shouldn't be random Apple ID asking popups outside of that. It's just teaching the users to be phished.

    (Another entry for my Apple bad design list.)
  • Reply 18 of 23
    cgWerks said:
    When I changed my email address associated with my Apple ID, I was constantly being asked to re-authenticate all over the place in iOS. When I move from my iPad to my newer iPhone SE, the problems seemed to go away. But, I could see someone easily getting fooled by something like this given Apple's sloppy way the OS asks for authentication.

    Apple ID authentication should be setup ONLY in the Settings, and then verified via Touch ID. All the Apple Apps should reference that or make the user go back there. There shouldn't be random Apple ID asking popups outside of that. It's just teaching the users to be phished.

    (Another entry for my Apple bad design list.)
    All iOS password dialogs clearly indicate what it is for. There are no randomly popping password requests in iOS. If an app mimics Apple’s password request it will be already caught during AppStore approval process. So, the “30 lines of code” that developer is bragging about has no significance and writing a comment about these is boring enough.
  • Reply 19 of 23
    cgWerkscgWerks Posts: 1,761member
    macplusplus said:
    All iOS password dialogs clearly indicate what it is for. There are no randomly popping password requests in iOS. If an app mimics Apple’s password request it will be already caught during AppStore approval process. So, the “30 lines of code” that developer is bragging about has no significance and writing a comment about these is boring enough.
    Oh, I assure you, I had dialogs popping up every 5 to 10 minutes at one point in time during regular use. It's because they had my old email address 'baked' in somehow, so the dialog would come up with my old email and a password entry spot... which would fail because they didn't match. With enough monkeying around, I was able to reduce it, but never completely solve it, until moving to a new device.

    Whether it's possible for a nefarious developer to use that poor behavior on Apple's part to phish a user who isn't as highly aware as you, is kind of what this article is about.

    Either way, it's sloppy development and design on Apple's part. And, when you get sloppy about security, you *train* the average user to fall prey to phishing schemes.
  • Reply 20 of 23
    cgWerks said:
    macplusplus said:
    All iOS password dialogs clearly indicate what it is for. There are no randomly popping password requests in iOS. If an app mimics Apple’s password request it will be already caught during AppStore approval process. So, the “30 lines of code” that developer is bragging about has no significance and writing a comment about these is boring enough.
    Oh, I assure you, I had dialogs popping up every 5 to 10 minutes at one point in time during regular use. It's because they had my old email address 'baked' in somehow, so the dialog would come up with my old email and a password entry spot... which would fail because they didn't match. With enough monkeying around, I was able to reduce it, but never completely solve it, until moving to a new device.

    Whether it's possible for a nefarious developer to use that poor behavior on Apple's part to phish a user who isn't as highly aware as you, is kind of what this article is about.

    Either way, it's sloppy development and design on Apple's part. And, when you get sloppy about security, you *train* the average user to fall prey to phishing schemes.
    Since apps are sandboxed in iOS, there is no common authorization or authentication API in iOS. Thus an app can only ask password for its services, login to a remote server and alike. An app cannot trigger deliberately system’s authentication and authorization dialogs, those are controlled by iOS, not the app. All an app can do is to present a fake iCloud login dialog, but this so rough and naive as an attack that it would be immediately discovered by AppStore review team and the developer may be banned and even reported to law enforcement for attempt to computer crime. There is nothing sloppy in iOS security architecture, all is finely crafted.
Sign In or Register to comment.