iOS Privacy: steal.password – Easily get the user’s Apple ID password, just by asking

Felix Krause:

iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS operating system updates, or iOS apps that are stuck during installation.

As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases.

This could easily be abused by any app, just by showing an UIAlertController, that looks exactly like the system dialog.

Even users who know a lot about technology have a hard time detecting that those alerts are phishing attacks.

These dialog boxes pop up all the time and users who aren’t tech savvy can, will and do just type in their passwords without thinking about why they are doing it.

  • Tony

    I get that this is a theoretical possibility, but are non-tech-savvy users jailbreaking their phones and/or side loading apps? How likely is it that an app with a fake OS dialog box makes it through app review?

    • To the last question, I don’t think Apple’s review process relies on good judgement on the part of reviewers anymore. And it’s pretty trivial to provide different behaviour to users vs. the review team (I did it by accident, not on purpose).

  • Which Apple services are available without authenticating via TFA (assuming it’s enabled) these days?

    This is a real question, not a rhetorical one. I’m sure there are some.

    • Meaux

      Find My iPhone.

      Also, from the article, “Also, even with 2FA enabled accounts, what if the app asked you for your 2 step code? Most users would gladly request a 2FA-token and ask for it, and directly pipe it over to a remote server.”

      • I thought Find My Phone got “fixed” recently, but I’ll accept that because I didn’t follow the resolution very closely. 🙂

        The 2FA token thing I’d need a proof of concept to accept, though. I don’t think a third party app could pull off requesting/accepting a code.

        • Meaux

          You can’t fix Find My iPhone with 2FA because you could be looking for your second factor.

          Sure it does. Remote site gets your credentials. This triggers the site to try to log in. The remote site is then prompted for an OTP. You get a text and enter it into the app, which sends it to the remote site which sends it to Apple to create a new trusted device.

  • Herding_sheep

    This is actually something I thought about recently a little concerned. I had Youtube ask me for Apple ID credentials, using a system dialog pop up, and this thought immediately came to mind for me. First I thought why the hell would Youtube need iTunes credentials? Then I realized I signed up for a YT Red trial through the App Store.

    To those thinking app review should catch these attempts, thats not always the case. This is a real possibility.

    • Mo

      A little specificity on what’s asking for authentication would help, too.

      • James Hughes

        Right, something along the lines of: “This YouTube Red subscription was purchased through iTunes. Please provide your iTunes credentials to continue”. Seriously, it’s about as hard to do as what I just did here. Maybe Google doesn’t have the resources? /s (don’t think I need that, but you never know!)

        • Mo

          Exactly. There’s no need for vagueness, is there?

          • James Hughes

            None at all, none at all. Laziness? ”What prompt should I use here?” “I dunno… use one of the standard one’s”

          • Mo


          • James Hughes


          • Mo


  • Mo

    Abort, Retry, Fail?

    • James Hughes


  • JimCracky

    Maybe as a culture it’s time to make things harder to use, not easier.

  • Funny how everybody takes this at face value.

    Mr Krause writes: “iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS operating system updates, or iOS apps that are stuck during installation.”

    After an iOS operating system is upgraded (not updated) or reinstalled you are asked to enter your “iCloud” password if desired to enable iCloud services and features. Also if I remember correctly the iOS App Store will only ask for a password when it’s active. So if you have a stuck app one would have to open the App store or use Mac’s iTunes App to “unstuck” it. Last the only other iOS app which would even ask for your “iTunes Password” (which is not necessarily your iCloud password) is iOS’s iTunes App, GameCenter and when MAKING an In-App-Purchases.

    The real problem are Users affected with “Pavlov’s Dog syndrome”. The solution is to enforce good computing habits such as reading and understang pop-up messages and not just automatically “clicking OK”, which shold start in schools and other learning environments.