Proof-of-Concept Exploit Could Put Apple ID Passwords at Risk

Security researcher Felix Krause published a proof-of-concept social engineering exploit designed to expose how easily hackers can gain access to iOS users’ Apple ID passwords, which are used to access iCloud accounts and make purchases through iTunes and Apple’s App Store. He explained that, since users have become accustomed to entering their Apple ID passwords whenever they see the prompt on their iOS devices, a malicious app could take advantage of this reflex by displaying an UIAlertController identical to the legitimate prompt, thereby tricking users into entering their passwords. Krause submitted this flaw as a community bug report on Open RadarThe NJCCIC recommends iOS users pay close attention to which apps generate the Apple ID password prompt and, if the origin is unclear, press the home button. If the home button closes just the prompt and not the app, the prompt is legitimate. If the home button closes both the app and the prompt simultaneously, the prompt was a phishing attempt and the user should uninstall the malicious app immediately.

AdvisoryNJCCICApple, iOS