iOS Users Can Be Easily Tricked Into Revealing Their Apple ID Password: Report

 
Share on Facebook Tweet Share Share Reddit Comment
iOS Users Can Be Easily Tricked Into Revealing Their Apple ID Password: Report

Highlights

  • There is a potential design flaw in iOS
  • The system-level password dialog box can be easily replicated by an app
  • Apple hasn't addressed the matter yet

There is a potential design flaw in iOS, Apple's mobile operating system, that allows any developer to recreate a genuine-looking password pop-up menu in their apps, as per s security researcher. The problem? iOS users are accustomed to seeing that pop-up menu at random times, a fact that a rogue developer could abuse. Since there is no way to tell the password dialog created by an app from the system-level pop-up, a user can easily be tricked into sharing their most sensitive information with the fraudulent agent thanks to the spoofing.

The flaw, which has existed for years, was spotted by Felix Krause, an iOS developer. According to Krause, it is very easy to replicate the dialog box. On its part, Apple has over the years done a poor job with how it asks users to interact with the dialog box. Users are used to seeing the box at random hours and entering their details, he said.

ios password dialog box iOS  Security  Mobiles  Apple

Spot the difference. There isn't one.
Photo Credit: Felix Krause

There is no evidence that a developer has ever tried to abuse this flaw, but one can't really tell even if it has happened. The only company that may have some information is Apple, which as usual remains tightlipped. "It is concerning to think that is all it would take to display a convincing dialog," Will Strafach, an iOS hacker and developer, tweeted.

"It's long past time that Apple removes the random password popups that plague iOS. They're a security flaw that should not exist in 2017," Marco Arment, a prominent iOS developer tweeted. "I'm sure whoever's responsible for them has some reasons they think are good for why they need to be there. They're not, and they don't."

As we wait for Apple to do something, Krause has found a stopgap solution that users can use to know when the password dialog they are seeing is genuine. Hit the home button. If it's a system-level dialog, it will stick around. If it's generated by an app, it would go away.

Additionally, "always close the dialog, and open the iCloud settings manually, and only enter [the password] there," Krause said.

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and subscribe to our YouTube channel.

Further reading: Apple, iOS, Mobiles, Security
Gadgets 360 Staff

The resident bot. If you email me, a human will respond.

More
OnePlus Said to Be Collecting Unanonymised User Data, Company Responds
 
 

Advertisement