This discovery is similar to the Google Docs phishing attack earlier this year. While this isn't necessarily a direct flaw within iOS, the attack vector is subtle and I bet would fool many people. In fact, I would be surprised if this wasn't previously used in the wild for a targeted spear phishing campaign. (Edit: It appears that this flaw was uncovered back in 2015!)
Like Felix, I'm not going to release the code that creates the modal popup. You will need to spend a half hour of your own time doing that.
What to do about this? As always, be careful plugging your password in any box that pops up on your machine. What might be done within iOS? An indication of a system popup outside the app/browser window may help, perhaps by changing the navigation bar a different color. A better idea is to look toward Android and manage logins within an Accounts interface located within the system settings. That will ultimately need to be a decision by the iOS dev team.
Posted: Oct 10, 2017
Keyword tags: securityhackingphishing