Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researcher Finds a Fundamental Flaw in iOS (krausefx.com)

Posted by msmash on from the security-woes dept.

Felix Krause writes: Do you want a user's Apple ID password to get access to their Apple account or to try the same email/password combination on different web services? Just ask your users politely, they'll probably just hand over their credentials, as they're trained to do so. This is just a proof of concept, phishing attacks are illegal! Don't use this in any of your apps. The goal of this blog post is to close the loophole that has been there for many years, and hasn't been addressed yet. For moral reasons, I decided not to include the actual source code of the popup, however it was shockingly easy to replicate the system dialog.

10 of 162 comments (clear)

  1. Terrible headline by Anonymous Coward · · Score: 5, Insightful

    Phishing attacks that are well crafted don't count as flaws.

    1. Re:Terrible headline by gweihir · · Score: 3, Insightful

      Well, normally I would agree, but this one is not quite phishing anymore, it is more an OS dialog impersonation attack, and the user cannot really see what is going on. Make this dialog appear when it is reasonable to expect, and the user really does not have much of a chance.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:Terrible headline by omnichad · · Score: 5, Insightful

      If the platform doesn't give you a way to distinguish, then it's still a platform security issue.

    3. Re:Terrible headline by Dixie_Flatline · · Score: 5, Insightful

      I disagree in this case. Apple has had an annoying problem for a couple of years where it would pop up an anonymous dialog box asking you to log in for no discernible reason.

      You should never be prompted to enter your password without some sort of justification and idea of where it's coming from. It used to pop up 6 or 8 times in a row and I'd dutifully enter my password, wondering what the heck was going on. Usually I'd press the cancel button before iOS stopped asking me.

      Apple's crafted a system where you reflexively enter your password with no justification, and they could make that stop any time by including information about the process that's asking for it. It really is a problem in iOS that we've been complaining about for years. I'm surprised it took this long for someone to point out that it could be used for phishing.

    4. Re:Terrible headline by Kristoph · · Score: 3, Insightful

      You have no experience with security do you? A trojan can pop-up a login dialog that only vaguely looks like authentication prompt and 9 times out of 10 a user will enter their credentials - on Windows, Mac OS X, whatever. A technically astute user (0.1%) will understand this should not happen in a given circumstance. A normal user ( 99.9% ) will just do what their told ( because their trained to take action X, when they see prompt Y ). Heck, I could probably create a prompt with a Gmail logo in a place totally unrelated to Gmail and I would still get Gmail credentials a high percentage of the time.

      That said, iOS does make this worse. They have my biometrics but they still randomly show an iTunes/iCloud prompt, which is stupid.

  2. Never an Apple user by JackieBrown · · Score: 3, Insightful

    But this isn't a flaw in IOS. It's like saying Android is insecure because of fake emails I get asking me to reset my gmail password

    1. Re:Never an Apple user by Anonymous Coward · · Score: 5, Insightful

      Nah, it's a fundamental flaw in iOS's UI. You will be asked for your Apple ID password ALL THE TIME on iOS. Worse, it can be triggered from inside an app by the app trying to use iCloud stuff.

      And there's nothing "special" about the prompt. It's a regular dialog box with a regular password field. There is nothing that suggests any difference between a real "OS needs your password" and a fake "phisher is asking for your password."

      There's a reason Microsoft used to make you press Ctrl-Alt-Del to enter your password in NT. It was to ensure that you pressed a key combination that no program could read, so that you could always be sure your password was going to the OS, not a phishing program. iOS has no similar thing, and does nothing else to make it clear your password is going to the OS and not some random app.

  3. 'Security Researcher' by Fly+Swatter · · Score: 4, Insightful

    Am I the only one that shakes my head every time I see this term used to describe a hacker/cracker/black hat that doesn't actually do research except to unlawfully break into other peoples stuff just to brag about it?

    And to stay slightly on topic, this is just social engineering, not an OS flaw. Clickbait garbage.

  4. Keyword: Trained by Anonymous Coward · · Score: 5, Insightful

    I'm asked for my Apple password at least once a week, and it happens absolutely randomly. I might be doing anything, and suddenly "hey re-authenticate please!". I've absolutely been trained to not question it and just punch the password in so my phone continues to work. This is even worse than the whole "constant UAC prompt trains users to just say yes", because it has absolutely zero context. I don't know what triggered it, I don't know how not putting the password in limits me exactly, I have no way of knowing it's really the system asking for the credential, and I'm not just pressing yes, I'm inputting my golden key. Just bad design all around.

  5. I think it counts as a flaw. by w3woody · · Score: 3, Insightful

    Honestly I think this does count as a fundamental flaw--but a flaw in the design of the user interface flow used to obtain credentials for iTunes (or for other applications).

    It's a flaw for two reasons. First, any process which interrupts your current actions with a modal dialog is a flaw in that if you are not paying attention, you may accidentally tap the accept or cancel button without realizing what you are doing. (This is worse on a desktop environment, where a pop-up may appear while you are typing. If you are a fast touch-typest like I am, you may accidentally press 'enter' or 'space' before realizing what you're typing has gone into the dialog box that just randomly appeared.)

    Second, the design is a flaw because it does not give a mechanism by which the context of the dialog box cannot be brought forward and examined for validity. That is, with the iTunes login prompt, all you are permitted to do is to enter the password or not--but you have no way to know that it indeed is coming from iTunes.

    I personally would consider fixing this user interface flaw by doing three things.

    First, provide a notification mechanism which is clearly visible to the user (such as a flashing bar at the top of the screen), but which does not directly interrupt the user's interaction with the device. If, for some reason a password is necessary before the user can continue his interaction with the device, I would propose a dialog box come up with stops the user interaction with an accept/cancel button but which does not ask for information.

    Second, in response to the notification mechanism, I would switch to the application that is asking for the information. (This is easier now that iOS supports multiple concurrent applications and a method for going 'back' in the upper-left corner of the screen.) This gives the user the opportunity to examine the application which is asking for the information. (If this is in response for an iTunes password prompt, I would switch to the Settings app and to the iTunes password screen within settings.)

    Third, I would explicitly prohibit (either by changing the OS or through the review process) modal dialogs not belonging to an application from appearing over another application. This includes built-in OS modal dialogs.

    All of this is designed to force the user to examine the context in which their sensitive information is being requested, rather than blindly handing it over. Because this sort of interaction is relatively rare, forcing the user to switch to the settings page (rather than just grabbing the password on the go) is not an unreasonable price to pay here.