If you are an iPhone user, you are used to the random popup that your Apple ID asks for and your password because some application is running in the background.
This is normal, and we did not think twice before entering the password. However, there is a new phishing attack that can trick you into entering your password, stealing it, and causing you serious privacy issues.
Felix Krause has posted a post on his blog, explaining how a fake popup could easily be used to trick someone into submitting their Apple ID and password.
The developer explains that creating a fake pop-up does not require extraordinary coding skills. Any iOS engineer can make an Apple ID password request and send that popup window.
The password can be registered in the application so that anyone can access it. It takes less than 30 lines of code and apparently it could disguise itself as any legitimate iOS app and sneak off review teams from the App Store.
Creating a dialog box that looks like a system popup is super easy, there is no secret code or magic involved, they are literally the examples provided in Apple’s documents, with a custom text. I decided not to open the actual popup code, however, keep in mind that there are less than 30 lines of code and that all iOS engineers can quickly build their own phishing code.
Krause says he has already reported this problem to Apple and explains that Apple can fix it by preventing pop-up passwords, and allowing it only in the App / App Store application. The security expert points out that this has been a problem with desktop browsers for years, with websites that send pop-ups that look identical to system pop-ups.
This seems to be a serious problem and until Apple provides a solution, Krause has pointed to some ways in which you can protect yourself from this type of phishing attacks.
Press the start button, and see if the application closes:
- If you close the application, and with it the dialog box, then it was a phishing attack.
- If the dialog and application are still visible, then it is a system dialogue.
- Do not enter your credentials in a pop-up window, instead, open the Settings application manually.
- If you press the Cancel button in a dialog box, the application will continue to access the contents of the password field. Even after entering the first few characters, the application probably already has your password.
So you know, the next time you see a popup on your iOS device, before entering your password, make sure you’re doing the right thing to avoid the pishing attack for stealing your Apple ID and password.