Ios Email Exploit Let You Get Apple Id Password
iOS 8.1.2 Mail.app inject kit
iOS security researchers Jan Souček stumbled upon a bug in iOS’s mail client, resulting in e-mail messages not being ignored. This bug allows remote HTML content to be loaded, replacing the content of the original e-mail message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password “collector” using simple HTML and CSS.
It was filed and send to apple back in January, but the fix was not delivered in any of the iOS updates following 8.1.2. Therefore I decided to publish the proof of concept code here.
video:
how to :
ios email exploit let you get apple id password
- Edit the e-mail address you would like to use for password collection in
framework.php - Upload
index.php,framework.phpandmydata.txtto your server - Send an e-mail containing HTML code from
e-mail.htmlto the research subject- Don’t forget to change the
modal-usernameGET parameter value to the e-mail address of the recipient - You can use https://putsmail.com for testing purposes
- Don’t forget to change the
Apple has been notified about technical details of this vulnerability on 2015-01-15
6 months later, still no fix .
Ios Email Exploit Let You Get Apple Id Password
Reviewed by Unlock iCloud
on
October 30, 2018
Rating:
Reviewed by Unlock iCloud
on
October 30, 2018
Rating:
