New iOS Bug: Fake Apple ID Password Prompts Can Fool Users

By Ava McKinneyOnline Safety

New iOS Bug: Apple ID Password Prompts May Be Fake

Felix Krause, developer and creator of fastlane.tools, has reported an alarming bug in iOS. While this issue is not a true vulnerability, Krause believes it could still cause significant harm to users.

In his blog, Krause explains that the UIAlertController API allows app developers to create dialog boxes that look identical to genuine system password prompts for iCloud, iTunes, or Game Center. Spotting such phishing attacks is nearly impossible, as shown in the comparison images he provided. In both cases, the phishing password requests are on the right, and it’s almost impossible to tell the difference.

“iOS asks users for their iTunes password for many reasons: after a recent iOS update, or if an app gets ‘stuck’ during installation. As a result, users have become accustomed to simply entering their Apple ID password whenever the system asks for it. What’s more, these pop-ups can appear not only on the lock or home screen, but also in random third-party apps when they need access to iCloud, Game Center, or in-app purchases,” Krause writes.

According to Krause, attackers don’t even need to know the victim’s email address, since the prompt can look just like the example below.

The researcher claims that, so far, attackers are not yet aware of this issue, as there have been no known cases of it being exploited. For this reason, Krause has chosen not to publish the source code he used to create such convincing fakes.

How to Tell a Fake Password Prompt from a Real One

Krause also shared tips on how to distinguish a fake password prompt from a real system request. If you see such a prompt, press the Home button. If both the app and the dialog box close, it was a phishing attempt—a real system prompt should remain on the screen even after pressing Home, since it’s handled by a different process.

Krause also recommends using two-factor authentication and advises against entering your credentials in these pop-up windows. Instead, go to your device’s settings and enter your information there if needed.

Leave a Reply