A bug in the iOS Mail app, reported to Apple almost five months ago, still exists and allows hackers to gain access to iCloud login details in a relatively simple way.
The bug affects the Mail app for iPhone and iPad and – due to Apple's lack of action – Jan Soucek, the developer who discovered the bug, has published the code on the hosting website GitHub.
Soucek has even published a video showing his proof of concept code in action, stealing iCloud login details.
The bug makes it possible for hackers to send you an email that forces the Mail app to create a pop-up window that looks like the iCloud login window on iOS.
The vulnerability in the Mail app sees a simple line of code load when it should be ignored, and this launches remote HTML content. The hackers would not be limited to stealing iCloud data however, as they could design the pop-up to look like a Facebook or Twitter login, or even an internal corporate login window if they were targeting enterprise victims.
Proof of concept
The HTML code can be used by hackers to create simple password collectors that look a lot like Apple's own iCloud login windo. They would be able to use your email address to autofill the username.
Despite Soucek filing a complaint to Apple's bug reporting system on 15 January, the company has not patched the flaw and the problem is still present in iOS 8.3, released on 8 April 2015.
IBTimes UK has asked Apple for a comment on the problem, but has yet to receive a response.
It is unclear if the bug has been exploited in the wild maliciously to date, but with Soucek publishing the proof of concept code on GitHub for anyone to use, it is surely only a matter of time.