Few days back a bug was discovered in iOS 8’s Mail app that makes it possible for malicious individuals to phish your iCloud username and password through a pop-up that looks very similar to the native iCloud login prompt. The bug allows remote HTML content to be loaded in place of the content of the original email message.
Fortunately, there are some easy ways to identify if the login prompt is legitimate or a hoax. Here’s how you can avoid such phishing attacks.
- The username is auto-populated and grayed out in case of the legitimate iCloud login prompt. If the username is blank or can be altered, then it is most likely a fake one.
- The fake prompt appears only in the body portion of the email in the Mail app.
- In case of the legitimate prompt, the keyboard will automatically appear. In contrast, you will have to tap inside the fields to bring up the keyboard in case of the fake one.
- The legitimate login prompt is modal, which means that you cannot do anything else other than either tap on Ok or Cancel button. The fake prompt is not modal, so if pressing the Home button takes you to the Home screen while the prompt is displayed, would mean that it is a hoax and shouldn’t be trusted.
If you’re alert and remember these points then you should be able to avoid such phishing attacks.
The best way to protect yourself from such attacks is by enabling two-step verification for your Apple ID. If you need help then follow our guide.
Update: If you’ve jailbroken your iPhone then you should install DeDirect, the jailbreak tweak blocks such malicious popups in the Mail app. Thanks Chris!
Apple has acknowledged the issue and has said that it will fix it in an upcoming software update.