The researchers ασφαλείας Ernst & Young μαζί με τον Jan Soucek who discovered the vulnerability, developed a tool that is capable of generating iCloud passwords phishing emails performing exploits on one unpatched bug affecting millions of Apple users.
Οι ερευνητές ανέπτυξαν το iOS 8.3 Mail.app inject kit που κάνει exploit σε ένα error of Apple email. It essentially creates a realistic pop-up that looks exactly like Apple's.
Soucek (jansoucek) reports that Cupertino did not respond when he tried to inform them about the bug in January.
“This bug allows remote content HTML να φορτωθεί, αντικαθιστώντας το περιεχόμενο του αρχικού μηνύματος ηλεκτρονικού ταχυδρομείου. Το JavaScript είναι απενεργοποιημένο σε αυτό το UIWebView, αλλά εξακολουθεί να είναι δυνατή η ανάπτυξη μιας σελίδας που συλλέγει passwords με τη χρήση απλών HTML και CSS.”
Phishers using the free tool developed by researchers can successfully run phishing campaigns by collecting credentials. Their victims will only see a pop-up in iOS Mail.
Soucek ensures with its tool that http-equiv targets only victims that allow the installation of cookies in their iDevices.
The researcher reports that it is the best phishing tool from the usual pages that come in an e-mail message because it only targets the users that the app allows them to make the changes that need to be made.
Publishing the tool should not be considered malicious, White hat security researchers often publish sophisticated phishing tools for professionals who use them in companies, for staff training in social engineering.