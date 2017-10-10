Security Researcher Finds a Fundamental Flaw in iOS (krausefx.com) 39
Felix Krause writes: Do you want a user's Apple ID password to get access to their Apple account or to try the same email/password combination on different web services? Just ask your users politely, they'll probably just hand over their credentials, as they're trained to do so. This is just a proof of concept, phishing attacks are illegal! Don't use this in any of your apps. The goal of this blog post is to close the loophole that has been there for many years, and hasn't been addressed yet. For moral reasons, I decided not to include the actual source code of the popup, however it was shockingly easy to replicate the system dialog.
Phishing attacks that are well crafted don't count as flaws.
As if this couldn't be done on ANY platform.
Yes, it could be done on any platform.
However, the different platforms cultivate different sorts of users.
On a platform where an immense amount of handholding is part of the design and culture of the platform, compliant and obedient users are the norm.
Compare the effectiveness of this sort of phishing on:
- An iOS account holder.
- An OpenBSD account holder.
Clearly, the Fisher-Price interface coddles and encourages certain types of behavior. You can't really blame that on the developers, or the users. It's
On a platform where an immense amount of handholding is part of the design and culture of the platform, compliant and obedient users are the norm.
Leave the 10 Windows Phone users out of this. Thanks, I'll be here all week. Tip your waitstaff.
Well, normally I would agree, but this one is not quite phishing anymore, it is more an OS dialog impersonation attack, and the user cannot really see what is going on. Make this dialog appear when it is reasonable to expect, and the user really does not have much of a chance.
Again, why is this even news?
Impersonation of a Login Dialog can be done on ANY OS, period. And with stuff like Text Substitutions in a Dialog, pretty much no amount of App-Scanning by %APP_APPROVER%
is going to discover a cleverly-obsfucated Dialog creation function.
What Apple (and others) could POSSIBLY do, is to make a "Credentials" Dialog appear COMPLETELY different from any-other-Dialog, using baked-in UI elements that are simply not accessible to Apps. Kind of like building holograms and micro-
If the platform doesn't give you a way to distinguish, then it's still a platform security issue.
One word:
2FA
There's no equivalent to an iTunes account. If I'm asked for my Google Play account password I'm very wary.
You said there was no equivalent, and then listed the equivalent.
Did they? All they said is that they'd be wary if they were asked for their Google Play password. They did not say that the request was ever legitimate. I imagine that if I was asked for the password, the phone would switch over to the Play store app before popping up the dialog - but I also can't remember ever being asked.
Many apps pop up the Google Play app for authentication. There is 0% chance that it cannot be faked as well as an iOS authentication pop up.
Is that true? I've had Android phone for 6+ years and can't ever remember a 'system' popup asking for a password. There's no equivalent to an iTunes account. If I'm asked for my Google Play account password I'm very wary. I'm genuinely curious if this sort of phishing has been tried on Android?
No. On Android, they just pull the stuff out WITHOUT User Intervention...
Never an Apple user (Score:4, Insightful)
But this isn't a flaw in IOS. It's like saying Android is insecure because of fake emails I get asking me to reset my gmail password
Nah, it's a fundamental flaw in iOS's UI. You will be asked for your Apple ID password ALL THE TIME on iOS. Worse, it can be triggered from inside an app by the app trying to use iCloud stuff.
And there's nothing "special" about the prompt. It's a regular dialog box with a regular password field. There is nothing that suggests any difference between a real "OS needs your password" and a fake "phisher is asking for your password."
There's a reason Microsoft used to make you press Ctrl-Alt-Del to enter your pas
But this isn't a flaw in IOS. It's like saying Android is insecure because of fake emails I get asking me to reset my gmail password
That all depends. If the users are conditioned to respond to those sorts of pop-ups because of the OS itself or because of apps bundled by Apple, then it could be considered an iOS flaw at least in the sense that poor design choices condition the user to be more susceptible to this sort of exploitation.
It was like Microsoft's UAC in the early days. So many apps were written in such a way that they unnecessarily triggered the UAC pop-up. Users just wanted it to go away so they could get on with what they
No, it would be like saying android is insecure because Google regularly send emails asking to reset your gmail password. So when you get an email that looks similar you'll just click the link and enter your password.
On Android, I'm trying to remember any time I'm asked to enter my account password. When I add my account to the phone initially, and when I purchase something from the play store. I don't recall ever seeing a popup asking for my google account password in any other circumstance.
So the issue
Yes, it is, because it shouldn't be possible for a trojan to impersonate the system log in screen. That's why Windows boxes make you use ctrl-alt-del--user programs can't catch that key sequence and make it look like you're logging in.
Avatar or user only knowledge (Score:3, Informative)
This is where having a visual indicator that only the OS and user know about could help? It could be an image or a phrase, but the idea is that an application couldnâ(TM)t forge the OS dialogue, because it doesnâ(TM)t have access to that info.
At the same time, there are probably still limitations arising from an app asking for permissions it shouldnâ(TM)t need. This easier to vet for anything going through the App Store and possibly signed applications, but for anything else it is still user beware.
Try the enterprise environment... (Score:1)
This is everywhere... (Score:3)
Lots of people use their Google account, or their Facebook account, to log into various sites and services. I'm not sure how Facebook works, because I rarely use it. Google makes you type in your password once per month, so Google users are also trained to enter their password more-or-less at random, when asked. It would be dead easy to fake the password dialog.
Users trading of security for convenience, yet again. The stupid thing is that companies encourage this behavior. If some service really wants you to login again, it should ask you to go log in, not present you with some dialog to type in your password.
Gonna be tough (Score:2)
Will they install control, alt and delete keys on iPhones?
'Security Researcher' (Score:3)
Am I the only one that shakes my head every time I see this term used to describe a hacker/cracker/black hat that doesn't actually do research except to unlawfully break into other peoples stuff just to brag about it?
And to stay slightly on topic, this is just social engineering, not an OS flaw. Clickbait garbage.
Terrible flaw in the human mind (Score:2)
I can simulate a real terror threat and people will believe it! -get a new brain?!
How the fuck is this a flaw in iOS? What a load of rubbish.
Turns out you can call yourself anything (Score:1)
Why title it "Security Researcher" when you clearly submitted a post about yourself? Why not instead title it "I find what I personally think is a fundamental flaw in iOS"?