Apple Security for "Security Researchering" Idiots
Ping!
If you want on or off the Mac Ping List, Freepmail me.
Posted on 06/11/2015 6:55:13 PM PDT by Swordmaker
A security researcher says a vulnerability in Apple’s mobile email application could be used to trick someone into divulging their iCloud password.
Prague-based Jan Soucek published proof-of-concept code that shows how he could send an email to someone with HTML code that resembles the iCloud login pop-up window. Soucek then receives an email containing the password. . .
He found the bug in January and notified Apple. The bug wasn’t fixed in iOS 8.1.2, “therefore I decided to publish the proof of concept code here,” he wrote. Apple officials did not immediately comment.
Soucek rigged the exploit code so that the bogus iCloud authentication window is only displayed once, which reduces suspicion, he wrote.
. . .
The celebrity iCloud accounts may have been accessed after hackers guessed their usernames and passwords, possibly by answering the security questions Apple poses if someone loses their password.
It’s also possible the celebrities fell victim to phishing attacks, which makes Soucek’s finding even more worrying.
With iCloud credentials, it is possible to download the entire contents of an account to a new device, including photographs, text messages, call logs, address books, calendars and other information depending on what a person has chosen to store on iCloud.
Even if iCloud credentials are compromised, Apple has put other defenses in place. It now offers two-factor authentication and sends notifications when a new device is used to access an account or a password is changed.
(Excerpt) Read more at pcworld.com ...
"The vulnerability allows remote HTML content to be loaded in an email, which replaces the content of the email message. Soucek wrote he then built a functional password collector using HTML and CSS. He also published a demonstration video."
Oh, Good Grief. . . Souçek really is stretching on this one. . . he's the same guy who claims Apple hasn't fixed the other so-called iCloud vulnerability he claims to have found. This time he is claiming the ability of Apple Mail to display HTML and execute HTML scripting is a vulnerability because it can be used for phishing attacks against users of email.
The standard rules of using email of not inputing any user names or passwords into any email or attachments still stand and clicking on any links in an email is a stupid thing to do, regardless if it is a imbedded HTML or a remote HTML installed by a script in the email. Whichever it is, it is still a PHISHING attack on the user, nothing more.
Almost all email clients can display HTML and it is not a vulnerability and is an intended feature. It can be turned off if the user does not wish to see HTML displayed content. In fact, email containing HTML can be blocked from being received.
If you want on or off the Mac Ping List, Freepmail me.
Are you quite sure this isn’t satire?
No, it's not satire. But it would make good satire. It's the tail end of FUD week. . . and I think they are getting very desperate. Hilarious, ain't it?
Well, that's one word for it...
PC World should seriously be ashamed of itself for being taken in like this. It's gotta be a prank.
"Jan Soucek"... are we sure "soucek" isn't Hungarian for "coyote", or perhaps "bullchit artist"?
Well, Jan Souçek has been responsible for some remarkable bullshipping lately where Apple has been concerned. . . and it has been swallowed hook, line, and sinker by the Apple hating pundits who put it out unquestioned by anything. . . especially any legitimate fact checkers.
Ah, but fact checkers only get in the way of click-bait headlines, don'tcha know?
Their motto must be: "Don't ask any question you don't want the answer to."
"Facts? FACTS!? We don' need no steenkin' Facts."
Just like Apple’s system sound of a piano chord was called “SOSUMI”.
I’m sure you know the whole story Dayglored, but it turned out it was Steve Jobs’ thumb snub to the Beatles who sued Apple for the Apple label on it’s records.
The stipulation was that Apple would “NOT get into the MUSIC BUSINESS” ... so Apple said “SO SUE ME” ... sosumi”
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.