It has recently been discovered that legitimate dialogue boxes that prompt the user for their password to log into their Apple ID can be easily replicated with frightening similarity. Felix Kraus, an iOS developer for Fastlane.Tools posted the proof of concept on his blog in an effort to get this “loophole which has been around for many years” closed. The fake boxes are nearly identical to the legitimate ones.
As you can see, they are nearly indistinguishable from one another. Unless you’re looking for it, you would never be able to distinguish between the two. Even if you were thinking it might be a phishing attack, it would be nearly impossible to determine with certainty whether it was legitimate or not. This particular box type has the user email associated with the Apple account in it, but there is also a version without the email address.
Again, if you weren’t expecting this to be a phishing attack, you would probably not think twice before inputting your password.
The boxes are created, quite easily, through the Apple Developer tool UIAlertController. The exact methods for creating these boxes were not disclosed by Krause for security purposes, but a quick look at the UIAlertController on Apple’s developer page shows that creating the box is as easy as following a template.
Thankfully, Krause also offered several tips to avoid being phished in this manner:
If you press the home button and the app and dialogue boxes both close, then it was a phishing attack. If the app and dialogue are still up then it is legitimate. This is because system dialogues are handled with a different protocol than app dialogues.
Don’t even begin to enter your credentials into a popup. Even if you don’t submit the form, they probably have recorded your inputs. Go into the settings app and enter them there.
If the user has 2 factor authentication enabled they’ll be safer from phishing attacks of this nature. That said, if the app also asks for the 2 Factor Authentication token and the user puts it in, then they’ve nullified the whole process.
As always, be careful when you’re putting in your credentials. You never know where phishing attacks will come from next.
– Daniel Szafran
Felix Kraus blog: https://krausefx.com/blog/ios-privacy-stealpassword-easily-get-the-users-apple-id-password-just-by-asking
Source Article: https://thehackernews.com/2017/10/apple-id-password-hacking.html
Apple Developer UIAlertController: https://developer.apple.com/documentation/uikit/uialertcontroller