The vulnerability, which could potentially allow criminals to gain access to an iPhone owner's Apple account, was demonstrated by mobile app developer Felix Krause in a blogpost Tuesday. "This is a tricky problem to solve, and Web browsers are still tackling it; you still have websites that make popups look like macOS/iOS popups so that many users think [are] system message [s]". A spokesperson for Apple did not immediately respond to a request for comment.
iPhone users have been warned of a new type of phishing scam that tricks you into giving away your Apple ID.
An Apple iPhone smartphone appears as a silhouette in Zenica, Bosnia, May 17, 2013. However, it has been discovered that hackers can use this method to steal passwords.
Mr Krause said malicious developers can turn on alerts inside their apps that look nearly identical to Apple's pop-ups using a simple bit of code.
"Users are trained to just enter their Apple ID password whenever iOS prompts you to do so". By inserting the login prompt into an otherwise innocuous-seeming app or on a website, an attacker could easily launch a phishing attack for iOS credentials. "Even users who know a lot about technology have a hard time detecting that those alerts are phishing attacks".
Krause said the best way to not be duped was by entering your login details via settings. If the app closes and the dialog box disappears, the prompt was likely fake.
In a proof of concept attack that Krause concocted, he showed that an attacker could easily create a faux version of Apple's login screen popup and use it to record the login information of iOS users.
Even if you have two-factor authentication (2FA), what's to stop an app developer from asking for your 2FA key as well?
Like it or not, emojis are an important Apple trademark, and they have inspired various others tech companies, sometimes to the point of imitation.