contador gratuito Saltar al contenido
Contact : alejandrasalcedo0288@gmail.com

IOS 8.3 failed to steal our passwords

Video thumbnail for vimeo video Proceso de elaborar la huella para saltarse la seguridad del Touch ID

Video thumbnail for vimeo video Process of making the fingerprint to skip Touch ID security

Many of the password thefts, the vast majority, are produced using social engineering. This means that the pseudo-hacker knows us enough to know our passwords based on our tastes, preferences or animals, couples, dates, etc. Until the arrival of the two-step verification, they could even answer our security questions. But the fault that we are going to talk about in this article is a security flaw that exists in iOS 8.3.

A security investigator called jansoucek has discovered an exploit on iOS that allows a malicious user to steal passwords from iCloud. Everything seems to indicate that iOS 8.3 fails to successfully filter potentially dangerous HTML code embedded in the emails received. The code proof-of-concept what does jansoucek use take advantage of the aforementioned bug to invoke a remote HTML that seems identical to the iCloud input window, so that it would trick us and we would put our password in the wrong place. The false window disappears when you tap on “OK”.

There are details that allow us to identify that we are being victims of this system To steal the password. The predictive keyboard is not deactivated how should I do it, so if we see an email that makes us enter the password and we see that the predictive keyboard is still active, we will only have to exit by pressing the start button (home), something we could not do if it were a real window. If we do not realize, which would also be understandable, the malicious user could take control of our account preventing us from recovering it.

The best way to prevent the theft of our account by this method is enable two-step verification. In the event that the password was stolen and the thief tried to enter from a new device, he would be asked to which trusted device the code is sent and, as he does not have them, he could not steal our account.

Jansoucek says he reported this bug last January, but no patch has been released to fix it. Anyway, he says that it works in iOS 8.3 and that it has not been fixed yet, but does not say if it is present in the betas of iOS 8.4 or not. Actually it could be solved, so publishing this ruling is irresponsible.

The best accessories for your iPhone

Are you looking for a new case for your iPhone? An accessory for the Apple Watch? Maybe a Bluetooth speaker? Do not miss these offers on accessories and get the most out of Apple's mobile: