Constant requests to enter your Apple ID password when using an iPhone could be used by hackers in a widescale phishing attack, according to a developer for Apple’s iOS platform.
Felix Krause says that sporadic demands for iPhone-owners to enter their Apple ID password can be easily flouted by unscrupulous hackers looking to steal personal data.
Krause says that because third-party apps make demands for a password to be entered when using the likes of Game Centre and iCloud, Apple is leaving itself open to a large scale attack.
Onscreen alerts from Apple, which crop up on the lock screen and home screen, look identical to those found in third-party apps, Krausse added, meaning users tend to enter their password automatically, without a second thought about who is requesting it.
“This could easily be abused by any app, just by showing an alert that looks exactly like the system dialogue. Even users who know a lot about technology have a hard time detecting that those alerts are phishing attacks.”
Krause said on Twitter that it took him just 15 minutes to create a pop–up password request that looked identical to Apple’s official dialogue box.
Krause said the only way users could tell if a box was fake was to press the home button.
Because only Apple code can respond to home button presses, fake boxes would close along with the app in question. Official requests do not disappear when the home button is pressed.
Apple has yet to comment. That may be because any hacker–made app would still have to clear its stringent approval process in order to make it onto the App Store.