What is the need to redirect to harvest creds?

[jeffxf]

I don't quite understand how this example shows that http-equiv enables credential harvesting. Even without using redirection, you can simply send a form that is styled like the iCloud login in an email to harvest credentials. Sure, the redirection adds a bit of a lag which improves the believability but thats about it from what I can tell. Please correct me if I'm wrong or if anyone can think of other malicious use cases when allowing http-equiv in the Mail app. Sorry I posted this as an issue but I wasn't sure where to have this conversation..

[jankais3r]

Hi Jeff,

that is actually a valid point. It is possible to send directly the contents of index.php file and get very similar results - the form is displayed and functional.

However, you lose certain features by hardcoding the form directly into the e-mail:

1. When you use this http-equiv method, the remote page containing login form gets loaded only on vulnerable iOS device. It wouldn't make much sense if it asked for Apple ID credentials with iOS-styled dialog box when opened in Outlook or Gmail on the desktop, right? Because the redirect meta tag gets ignored by other mail clients, it will look like a regular e-mail message.
2. You cannot use cookies in regular HTML e-mail, therefore the login form would pop-up every time a test subject opens the message
3. Once you send out an e-mail with hardcoded login form, you cannot change your mind later. If you use this redirect method, you can replace the malicious page containing the login form with simple page containing just the text of the original e-mail (e.g. after you've collected the login credentials).

Also, this proof of concept was meant only to demonstrate the redirect vulnerability, not to showcase credentials harvesting. The vulnerability can be used for anything that requires HTML tags not supported by Mail.app.

[jeffxf]

All of those are good points, mainly #1 and the last part about being able to use other HTML tags that aren't supported. Good find and I appreciate the quick response.

[OrlandoHC]

Hi everybody, im working in the perfect cloning of actual iCloud index login page, in a few days i sharing to you... please be patients. Nice Project, now its running on my server.

[jankais3r]

There is a reason why the iCloud login dialog doesn't already look identical to the real thing. The reason is that this repository is not meant to be ready-to-use kit to scam people. It is a proof-of-concept, with the dialog styled just similarly enough to the real thing to get the attention it needed to get the issue fixed. Please do not create pull requests with enhancements to the dialog's looks.