New bug in iOS allows hackers to “steal” passwords from the Apple ID

Developed by Felix Krause found in iOS bug allows attackers to steal login and password from the Apple ID. To do this, use the system function UIAlertController responsible for triggering a pop-up notification with request of confidential data. Since this message is not uncommon for iOS users, they often enter the required information without hesitation. As it turned out, this may lead to loss of personal data, money, and other unpleasant consequences. Below we describe a way of dealing with this bug.

Apple iOSOfficial (left) and fake (right) notices

As you can see in the screenshot above, to distinguish a fake notice from the present impossible. And as in iOS this window will appear when you upgrade the system, the problem with installing apps, buying in-game funds, access third-party apps to iCloud or Game Center and in several other situations, users often enter their data and don’t think about it.

“In the dialog box, which looks the same as the system pop-up window is no big deal. There is no magic or secret code. This is literally the examples presented in the documents of the Apple using a special text. I decided not to disclose the source code of pop-UPS, but please note that it is less than 30 lines of code, and every developer will be able to quickly implement it in your app,” said Felix Krause.

Apple iOSOfficial (left) and fake (right) notices

He notes that for many years this method of identity theft was a big problem for desktop browsers sites likewise sent a fake pop-up window, which was almost identical to the usual system notifications. IOS is happening the same situation. Felix says he told Apple, but warned that the company may not deny entering passwords in popup Windows.

READ  Xiaomi spent a quiet announcement of the tablet Mi Pad 3

Until Apple fixes this bug, Felix Krause offers the following ways to protect yourself:

  1. The appearance of such notification, press the Home button and check whether it is hiding. If the app is curled up with a pop-up window, that it was a phishing attack. If the notification and the program remain open, it is a system message.
  2. Do not enter the account information via pop-UPS. Instead, you should cancel the process and enter the password through the Settings app.
  3. If you already typed the username and password, but then clicked “Cancel”, the attackers still get your data.


Leave a Reply

Your email address will not be published.

1 − one =