A bug present in the iOS 8.3 Mail application that is pre-installed on all iOS devices has been discovered that would allow a hacker to easily send an unsuspecting user an e-mail that could prompt a convincing pop-up asking for your iCloud e-mail and iCloud password.
As noted by The Register
, the bug allows remote HTML code to be loaded, rather than the HTML from the actual e-mail itself, which means that a hacker would be able to have a special program set up on the machine they sent the e-mail from that could remotely trigger a program written to steal passwords.
The prompt auto-fills your iCloud e-mail using your iOS device's configuration settings, which makes it all that much more convincing, so when the user inputs their password, the hacker now gets a copy of your information and can gain access to everything in your iCloud account without you knowing.
Below, you can watch a video of just how convincing the pop-up message is:
The person who discovered the problem, Jan Souček
, says that he discovered the problem in January 2015 and that he filed a radar with Apple to have the problem fixed. Apple has not responded to the radar and has reportedly failed to fix the problem in all software updates since iOS 8.1.2, so even iOS 8.3 users are still vulnerable to the problem and it's unknown if iOS 8.4 will fix the problem either.
To raise awareness of the problem and to try and escalate Apple's urgency of the situation, Souček has published his Mail.app inject kit on GitHub
as an open source project so that anyone can get their hands on the code used to initiate the attack.
To protect yourself for the time being, it is recommended that you do not enter your iCloud password in any prompts while viewing e-mail in the Mail application for iOS.
We will keep you updated if Apple announces any fixes to the issue.
Sources: The Register