Apple users are at massive risk. Hackers can gain complete access with indistinguishable phishing scam.
A flaw in iOS design can allow any developer to replicate the familiar “Sign In to iTunes Store” pop-up on the iPhone and steal their password. A security researcher on Tuesday published a concept that proved that it was possible for a hacker to spoof the pop-up on the iPhone by creating a similar pop-up alert.
How can this be done?
According to the security researcher, developers can turn on an alert inside their apps that look identical to the original iPhone pop-up requesting a user’s credentials. If the person inputs the password, the hacker could steal the information and users wouldn’t even know they were targeted.
Even worse, the iOS users are accustomed to seeing the pop-up at random times, therefore, they won’t be able to differentiate between legitimate and fake ones
How can the hackers misuse the stolen Apple ID?
Apple ID is required when a user has to make an app purchase or when accessing iCloud Data that may include photos, location, Notes etc. Using the Apple Id the hackers can make purchases using your account and steal your iCloud data which might include all your personal data including SMS, location and private photographs.
How to stay protected?
According to the security researcher, there are two ways using which the users can stay protected.
On seeing such pop-ups it is suggested users should hit “Home” button, if both the app, over which it appeared, and the pop-up disappears, then it was a phishing attack. If the app and the pop-up are still there then it is legitimate pop-up.
Another way is not to enter the password altogether instead users should go to the Setting app manually and enter the credentials there, thereby eliminating the apps from the process altogether.
Ankush Johar, Director at HumanFirewall.io, said: “Phishing is one of the most successful attacks used by the malicious hackers. Humans are the weakest link in cybersecurity and hackers are well aware of that. Most advanced attacks are carried out via social engineering on the users. People should be vigilant while providing their confidential information like passwords online.
“iOS users are suggested not to respond immediately “Sign In to iTunes Store” pop-up and think before they enter their critical data. Furthermore, it is advised to change the existing Apple account’s password ASAP as there is a possibility that some malicious hacker might already have tricked you and extracted your password.
“Quick TIP: next time you see an Apple ID popup, press the home button and minimize all the apps. If the popup is genuine, it won’t get minimized with the apps instead it will stay on top of your home screen. On the other hand, if it does get minimized, it means that the popup was fake and generated via the malicious website or the app you were browsing. Stop using that app/website immediately. Your security is in your own hands, think before you click!”