Security Researcher Finds a Fundamental Flaw in iOS

Felix Krause writes: Do you want a user's Apple ID password to get access to their Apple account or to try the same email/password combination on different web services? Just ask your users politely, they'll probably just hand over their credentials, as they're trained to do so. This is just a proof of concept, phishing attacks are illegal! Don't use this in any of your apps. The goal of this blog post is to close the loophole that has been there for many years, and hasn't been addressed yet. For moral reasons, I decided not to include the actual source code of the popup, however it was shockingly easy to replicate the system dialog.

Re:Never an Apple user

[TheFakeTimCook]

Nah, it's a fundamental flaw in iOS's UI. You will be asked for your Apple ID password ALL THE TIME on iOS. Worse, it can be triggered from inside an app by the app trying to use iCloud stuff.

And there's nothing "special" about the prompt. It's a regular dialog box with a regular password field. There is nothing that suggests any difference between a real "OS needs your password" and a fake "phisher is asking for your password."

There's a reason Microsoft used to make you press Ctrl-Alt-Del to enter your password in NT. It was to ensure that you pressed a key combination that no program could read, so that you could always be sure your password was going to the OS, not a phishing program. iOS has no similar thing, and does nothing else to make it clear your password is going to the OS and not some random app.

If something is asking for my AppleID, it needs to be displaying the "TouchID" "Dialog", or I'm not playing. And TouchID simply returns a Go/No-Go back to the App.

That's about as secure as it can get.

I do agree, however, that there should be something to distinguish a System-Generated Password Dialog from ANY other Dialog.