AN UNFIXED VULNERABILITY has been uncovered in Apple's iOS operating system that enables hackers to steal user passwords by sending an email.
It allows hackers to send an email that looks like it's from a real company, but is actually used to steal passwords via a legitimate-looking pop-up that could easily fool iPhone and iPad users.
Soucek explained that he first told Apple about the bug in January, but that the company had not responded or fixed the problem.
Soucek therefore decided to make his findings and the proof-of-concept code public in the hope of prompting Apple to take action.
"Back in January 2015 I stumbled upon a bug in iOS's mail client, resulting in HTML tags in email messages not being ignored," Soucek said.
"It was filed under Radar #19479280 back in January, but the fix was not delivered in any of the iOS updates following 8.1.2."
Soucek said that his free tool is better than using a form directly within a HTML email because it targets only users of the iOS app.
"When you use this HTTP-equiv method, the remote page containing the log-in form gets loaded only on vulnerable iOS devices," he added.
"It wouldn't make much sense if it asked for Apple ID credentials with an iOS-styled dialogue box when opened in Outlook or Gmail on the desktop, right? Because the redirect meta tag gets ignored by other mail clients, it will look like a regular email message."
Apple has yet to comment. µ
Slack, hack and crack
A flaw in the protocol affects iOS, macOS and Windows 10
Wig wearer has issue with non-wig-wearer