Apple ID and Password may not be secure for iOS phishing
Finally, we have another vulnerability from Apple. The Mobile developers recently announced about iOS and how the password and user id is at risk, which may put the user under attack. The possibility of hackers using a pop-up dialogue box, tricking the user to give up their User ID and password.
Phishing attacks have been there for the past couple of years, and we have seen how people fall victim to this fake method. People give away their password, credit card details, and other details.
Phishing is about making an exact copy of a website, which, when compared side by side makes no difference except the URL, which most people fail to realize. This case again a legitimate pop-up springs up and the user ends up filling the details.
A security vulnerability in iOS has been displayed with proof-of-concept by Krause, in which he elucidates how a fake pop-up shine when pressing the ‘home button’. So when the user pushes the home button it closes the pop-up with all the app that appeared with it. For instance, if the pop-up sprang up when the user is working on photoshop, pushing the home button will close the pop-up as well the photo app.
If you have noticed that legitimate pop-ups seeking your details and credentials will not close even after you push the home button. This is because the real pop-up is running somewhere else from the standard app.
Krause further added how tricking a system pop-up was so easy. It’s just a few lines of code and hopefully every iOS engineer is capable to write his own phishing code.
Krause suggestion to counter this fake pop-up dialogue box is included it with the app’s icon. This will help the user to distinguish app pop-up from a system pop-up, and finally, make out which is the fake one.
There should be a two-way factor of verification to enhance security. If the hacker is able to get your password, let him go through multiple security processes to complete the process before he could execute his dubious intention.
Last but not the least, Krause believes that Users should not be asked for credentials in the first place, that it is a sign of cheating, and one must understand that it is not genuine. This presence of mind can prevent the user from getting fudged, as a result of this vulnerability.