iOS Privacy: steal.password - Easily get the user's Apple ID password, just by asking — Felix Krause


49 bookmarks. First posted by stantont 9 weeks ago.


Hit the home button, and see if the app quits:
If it closes the app, and with it the dialog, then this was a phishing attack
If the dialog and the app are still visible, then it’s a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app.
Don’t enter your credentials into a popup, instead, dismiss it, and open the Settings app manually. This is the same concept, like you should never click on links on emails, but instead open the website manually
If you hit the Cancel button on a dialog, the app still gets access to the content of the password field. Even after entering the first characters, the app probably already has your password.
iphone  security 
6 weeks ago by some_hren
RT : Oh, come on, Apple. This is basic stuff for browsers; raise your game.
from twitter_favs
8 weeks ago by asbjornu
Phishing techniques are migrating to mobile
security  ios  apple  phishing  research  privacy 
8 weeks ago by jefframnani
Stavo giusto leggendo - Twitter Lite ❤️
from twitter
8 weeks ago by gpessia
iOS Privacy: steal.password - Easily get the user's Apple ID password, just by asking
from twitter
8 weeks ago by mkb
Developer Felix Krause shows how malicious apps on iOS can easily replicate the native system dialog box to phish for Apple ID passwords
8 weeks ago by joeo10
RT : Nice reminder of how simple phishing attacks can be. Hope Apple does something about this!
ios  security  from twitter
8 weeks ago by grzbielok
Do you want the user's Apple ID password, to get access to their Apple account, or to try the same email/password combination on different web services? Just ask your users politely, they'll probably just hand over their credentials, as they're trained to do so 👌
writing  from iphone
8 weeks ago by iagor
iOS Is Ripe for Phishing Password Prompts
ifttt  feedbin 
8 weeks ago by mgacy
Android too. I think we need some physical UI ("lock" LED?) that activates iff OS is performing auth
from twitter
8 weeks ago by lukasb
Do you want the user's Apple ID password, to get access to their Apple account, or to try the same email/password combination on different web services? Just ask your users politely, they'll probably just hand over their credentials, as they're trained to do so 👌
Disclaimer
This is just a proof of concept, phishing attacks are illegal! Don't use this in any of your apps. The goal of this blog post is to close the loophole that has been there for many years, and hasn't been addressed yet. For moral reasons, I decided not to include the actual source code of the popup, however it was shockingly easy to replicate the system dialog.
security  privacy  ios  apps  phishing  appleID  passwords  ui/ue 
8 weeks ago by rgl7194
Do you want the user's Apple ID password, to get access to their Apple account, or to try the same email/password combination on different web services? Just…
from instapaper
8 weeks ago by johnrclark
Felix Krause:

iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS operating system updates, or iOS apps that are stuck during installation.

As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases.

This could easily be abused by any app, just by showing an UIAlertController, that looks exactly like the system dialog.

Even users who know a lot about technology have a hard time detecting that those alerts are phishing attacks.

I’ve been thinking about this for years, and have been somewhat surprised this hasn’t become a problem. It’s a tricky problem to solve, though. How can the system show a password prompt that can’t be replicated by phishers? The best idea I’ve seen is for these system-level prompts to only appear in the Settings app. When the system needs your iCloud or iTunes password while you’re in any other app, that prompt would take you to Settings, where you’d then be prompted for the password. That’s not great, though, because it makes entering your password far more cumbersome. And how would you get back to the original app after entering your password?

Krause suggests one way to protect yourself if you suspect a password prompt might be a phishing attempt: press the home button. If it’s a phishing scam, the dialog box will disappear when you go back to the home screen, because it’s part of the app you’re using. If it’s a real system-level prompt, the alert will still be there.

 ★ 
via:daringfireball 
8 weeks ago by rufous
Do you want the user's Apple ID password, to get access to their Apple account, or to try the same email/password combination on different web services? Just…
from instapaper
8 weeks ago by artblanc
from Daring Fireball

Felix Krause:

iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS operating system updates, or iOS apps that are stuck during installation.

As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases.

This could easily be abused by any app, just by showing an UIAlertController, that looks exactly like the system dialog.

Even users who know a lot about technology have a hard time detecting that those alerts are phishing attacks.

I’ve been thinking about this for years, and have been somewhat surprised this hasn’t become a problem. It’s a tricky problem to solve, though. How can the system show a password prompt that can’t be replicated by phishers? The best idea I’ve seen is for these system-level prompts to only appear in the Settings app. When the system needs your iCloud or iTunes password while you’re in any other app, that prompt would take you to Settings, where you’d then be prompted for the password. That’s not great, though, because it makes entering your password far more cumbersome. And how would you get back to the original app after entering your password?

Krause suggests one way to protect yourself if you suspect a password prompt might be a phishing attempt: press the home button. If it’s a phishing scam, the dialog box will disappear when you go back to the home screen, because it’s part of the app you’re using. If it’s a real system-level prompt, the alert will still be there.

 ★ 
ifttt  daringfireball 
8 weeks ago by josephschmitt
Do you want the user's Apple ID password, to get access to their Apple account, or to try the same email/password combination on different web services? Just…
from instapaper
8 weeks ago by wahoo5
Do you want the user's Apple ID password, to get access to their Apple account, or to try the same email/password combination on different web services? Just…
from instapaper
8 weeks ago by kohlmannj
iOS Privacy: steal.password - Easily get the user's Apple ID password, just by asking https://buff.ly/2fZJVc6
Buffer 
8 weeks ago by phoneboy
<p>How can you protect yourself

• Hit the home button, and see if the app quits:
-If it closes the app, and with it the dialog, then this was a phishing attack<br />-If the dialog and the app are still visible, then it's a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app.<br />• Don't enter your credentials into a popup, instead, dismiss it, and open the Settings app manually. This is the same concept, like you should never click on links on emails, but instead open the website manually<br />• If you hit the Cancel button on a dialog, the app still gets access to the content of the password field. Even after entering the first characters, the app probably already has your password.

Initially I thought faking those alerts requires the app developer to know your email. Turns out some of those auth popups don't include the email address, making it even easier for phishing apps to ask for the password.

<img src="https://static1.squarespace.com/static/545299aae4b0e9514fe30c95/t/59dca2accf81e0c47e1e7144/1507631811313/" width="70%" />

Proposal

Modern web browsers already do an excellent job protecting users from phishing attacks. Phishing within mobile apps is a rather new concept, and therefore still pretty unexplored.

• When asking for the Apple ID from the user, instead of asking for the password directly, ask them to open the settings app<br />• Fix the root of the problem, users shouldn't constantly be asked for their credentials. It doesn't affect all users, but I myself had this issue for many months, until it randomly disappeared.<br />• Dialogs from apps could contain the app icon on the top right of the dialog, to indicate an app is asking you, and not the system. This approach is used by push notifications; also, this way, an app can't just send push notifications as the iTunes app.</p>


This is still bad, and Apple's security people should have stamped it out ages ago. I suspect they couldn't and so their pivot has been to try to persuade people to enable two-factor authentication on accounts.

But as Krause points out, even if you've got 2FA, that won't protect any accounts where you've used the same username/password combination.
apple  security  phishing  ios 
8 weeks ago by charlesarthur
RT : iOS Privacy: steal.password - Easily get the user's Apple ID password, just by asking
from twitter
8 weeks ago by andygambles
How can you protect yourself

Hit the home button, and see if the app quits:
If it closes the app, and with it the dialog, then this was a phishing attack
If the dialog and the app are still visible, then it's a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app.
Don't enter your credentials into a popup, instead, dismiss it, and open the Settings app manually. This is the same concept, like you should never click on links on emails, but instead open the website manually
If you hit the Cancel button on a dialog, the app still gets access to the content of the password field. Even after entering the first characters, the app probably already has your password.

Initially I thought, faking those alerts requires the app developer to know your email. Turns out, some of those auth popups don't include the email address, making it even easier for phishing apps to ask for the password.
ios  apple  security 
8 weeks ago by andyhuey
Super easy to phish iOS users to type their password in a "Sign In" dialog that looks identical to the system one
Apple  iOS  phishing  hack 
8 weeks ago by dandv