iOS 8.3 Mail.app inject kit
Back in January 2015 I stumbled upon a bug in iOS's mail client, resulting in <meta http-equiv=refresh>
HTML tag in e-mail messages not being ignored. This bug allows remote HTML content to be loaded, replacing the content of the original e-mail message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password "collector" using simple HTML and CSS.
It was filed under Radar #19479280 back in January, but the fix was not delivered in any of the iOS updates following 8.1.2. Therefore I decided to publish the proof of concept code here.
Demo: https://www.youtube.com/watch?v=9wiMG-oqKf0
The exploit got a nice CVE-2015-3710
sticker and was fixed by Apple in iOS 8.4 and OS X 10.10.4.
Kudos to Apple for prompt response once it was published publicly.
framework.php
index.php
, framework.php
and mydata.txt
to your serveremail.html
to the research subject
modal-username
GET parameter value to the e-mail address of the recipientMIT
framework.php
, which then saves them to the mydata.txt
file, sends them out via e-mail to the specified "collector" e-mail address and then returns the research subject back to Mail.app using redirect to message://dummy
.<form>
directly inside the HTML e-mail?