Apple’s iPhone customers could potentially fall victim to a scam that would see them unwittingly hand over their Apple ID credentials.
Security researcher Felix Krause on Tuesday published a proof-of-concept that shows how easy it is for hackers to replicate the familiar “Sign In to iTunes Store” Apple prompt on the iPhone and steal a user’s password. According to Krause, developers can turn on an alert inside their apps that look identical to the legitimate pop-up requesting a user’s credentials. If the person inputs the password, the malicious app owner could steal the information and users wouldn’t even know they were targeted.
“Users are trained to just enter their Apple ID password whenever iOS prompts you to do so,” Krause wrote in a blog post. “However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases. This could easily be abused by any app.”
Apple IDs are accounts users create to do everything from buy apps to subscribe to the company’s many online services, including Apple Music and iCloud. Accessing a person’s Apple ID would allow malicious hackers to make fraudulent purchases, change passwords, and ultimately use the account’s associated credit card to buy digital goods. And if users make the mistake of using the same password for other services, like banks, sophisticated hackers could target accounts elsewhere.
Apple ID alerts are common fare in a typical day using the iPhone. They come up when users want to make an app purchase or when account content, like iCloud data, needs to be accessed. Apple’s legitimate pop-ups display information and then request users input their Apple ID passwords to proceed.
According to Krause, any app developer can create an identical pop-up, and he was able to do just that as part of his research. Users, then, would be hard-pressed to determine whether it was a legitimate password request or one that could leave their credentials open for theft.
Still, Krause said that users can protect themselves by never inputting passwords into pop-ups and instead going into the iPhone’s Settings menu and do it there to ensure it’s a legitimate request. He also suggests clicking the home button when a pop-up is displayed. If the home button closes the app, it was a phishing scam, but if the pop-up remains, it’s a real Apple request.
Looking ahead, Krause believes the best way to fix the problem is by Apple making some tweaks to the way apps ask for Apple ID passwords. Rather than use pop-ups, he says, Apple should ask users to open the Settings app and input their credentials there, thereby eliminating the apps from the process altogether.