Failure in iOS 8.3 allows us to steal our passwords

Pablo Aparicio

2 minutes

Video thumbnail for vimeo video Fingerprint process to bypass Touch ID security

Many of the password thefts, the vast majority, occur using social engineering. This means that the pseudo-hacker knows us well enough to know our passwords based on our tastes, preferences or animals, partners, dates, etc. Until the arrival of XNUMX-Step Verification, they were even able to answer our security questions. But the failure that we are going to talk about in this article is a security flaw that exists in iOS 8.3.

A security investigator called jansoucek has discovered an exploit in iOS that allows a malicious user to steal our iCloud passwords. Everything seems to indicate that iOS 8.3 cannot successfully filter potentially dangerous HTML code embedded in received emails. The code proof-of-concept what does jansoucek use It takes advantage of the aforementioned flaw to invoke a remote HTML that looks identical to the iCloud login window, so that it would trick us into putting our password in the wrong place. The false window disappears when you tap on “OK”.

There are details that allow us to identify that we are being victims of this system to steal our password. Predictive keyboard does not turn off as it should be, so that if we see an email that prompts us to enter the password and we see that the predictive keyboard is still active, We will only have to exit by pressing the start button (home), something we couldn't do if it were a real window. If we do not realize it, which would also be understandable, the malicious user could take control of our account, preventing us from recovering it.

The best way to prevent theft of our account by this method is turn on XNUMX-step verification. In the event that the password was stolen and the thief tried to enter from a new device, he would be asked to which trusted device the code is sent and, since he does not have them, he could not steal our account.

jansoucek says it reported this bug last January, but no patch has yet been released to fix it. Anyway, it states that it works in iOS 8.3 and that it has not been fixed yet, but it does not say if it is present in the iOS 8.4 betas or not. Actually, it could already be solved, so publishing this bug is irresponsible.


You are interested in:
According to Apple, it is the most effective company in the world in security
Follow us on Google News

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Dany sequeira said
    ago 9 years

    Now I am calmer ...

    Reply to Dany Sequeira
  2.   Alvaro Del Pino Santana said
    ago 9 years

    I don't know what happened to ios 8, it was a real disaster ...

    Reply to Álvaro Del Pino Santana
  3.   elis monsoon said
    ago 9 years

    How to download CYDIA on an IPhone 4s

    Reply to Elis monzon