A developer has discovered a serious flaw in Apple's iOS that could trick users into giving out their log-in credentials to hackers.
Apple was already informed regarding the serious matter and is currently working on a software update to fix it, Ars Technica reported.
According to developer and Github user Jansoucek, the problem is rooted in iOS' native email program, the Mail app. The developer explained that since the release of iOS 8.3, the operating system has stopped removing HTML codes from email messages. Hackers can take advantage of this by downloading a type of form that appears like an authentic iCloud log-in prompt from a remote server.
This form is then displayed when users open an email message with the malicious HTML code. The prompt will ask them to enter their iCloud log-in credentials such as their usernames and passwords.
To further trick users into thinking that the prompt is authentic, it will only be displayed once, not each time the email message is opened.
Once users enter their credentials, hackers will be able to gain access to their accounts.
Despite the realistic appearance of the prompt, there are certain details that show that it is not authentic. For one, the real iCloud prompt only asks for a password and not the username. The fake one, on the other hand, requires users to enter both details.
In addition, the authentic prompt automatically comes with the keyboard. In the other one, users have to tap on the prompt to activate this feature, according to NDTV.
To avoid getting their credentials stolen, security experts strongly advise users to just click on the Cancel button once the fake iCloud prompt pops up.
Apple was already notified regarding the iOS flaw. Although the company admitted that it has not yet received complaints or reports directly from its customers, the Cupertino-based tech firm assured users that it will release a software update to solve the problem.
