iOS 8.3 inject kit
Switch branches/tags
Nothing to show
Clone or download
Jan Soucek
Jan Soucek Merge pull request #8 from bryant1410/master
Fix broken headings in Markdown files
Latest commit 5ce5b6d Apr 25, 2017
Failed to load latest commit information.
LICENSE Create LICENSE Jun 7, 2015 Fix broken Markdown headings Apr 17, 2017
email.html Initial commit Jun 7, 2015
framework.php Initial commit Jun 7, 2015
index.php Initial commit Jun 7, 2015
mydata.txt Initial commit Jun 7, 2015

iOS 8.3 inject kit

Back in January 2015 I stumbled upon a bug in iOS's mail client, resulting in <meta http-equiv=refresh> HTML tag in e-mail messages not being ignored. This bug allows remote HTML content to be loaded, replacing the content of the original e-mail message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password "collector" using simple HTML and CSS.

It was filed under Radar #19479280 back in January, but the fix was not delivered in any of the iOS updates following 8.1.2. Therefore I decided to publish the proof of concept code here.


Update 2015-06-30:

The exploit got a nice CVE-2015-3710 sticker and was fixed by Apple in iOS 8.4 and OS X 10.10.4. Kudos to Apple for prompt response once it was published publicly.


  1. Edit the e-mail address you would like to use for password collection in framework.php
  2. Upload index.php, framework.php and mydata.txt to your server
  3. Send an e-mail containing HTML code from e-mail.html to the research subject
    • Don't forget to change the modal-username GET parameter value to the e-mail address of the recipient
    • You can use for testing purposes





  • The code detects that the research subject has already visited the page in the past (using cookies) and it stops displaying the password prompt to reduce suspicion.
  • The e-mail address and password are submitted via GET to framework.php, which then saves them to the mydata.txt file, sends them out via e-mail to the specified "collector" e-mail address and then returns the research subject back to using redirect to message://dummy.
  • The password field has autofocus enabled. We then use focus detection to hide the login dialog once the password field loses its focus (e.g. after the subject clicks on OK and submits the password).
  • Why even bother with this redirect nonsense when you can put <form> directly inside the HTML e-mail?