Ernst and Young forensic bod Jan Soucek has created a tool capable of generating slick iCloud password phishing emails he says exploits an unpatched bug affecting millions of Apple users.

The researcher created the iOS 8.3 Mail.app inject kit which exploits a bug in the operating system's native email client to produce a realistic pop-up of which Apple users are accustom.

Soucek (@jansoucek) says Cupertino did not respond when he informed it of the bug in January.

"Back in January 2015 I stumbled upon a bug in iOS's mail client, resulting in HTML tags in email messages not being ignored," Soucek says.

"This bug allows remote HTML content to be loaded, replacing the content of the original email message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password 'collector' using simple HTML and CSS.

"It was filed under Radar #19479280 back in January, but the fix was not delivered in any of the iOS updates following 8.1.2."

Phishers using the free tool can customise their phishing campaigns to pluck whichever credentials they wish to harvest. Victims would see only a slick pop-up with the iOS Mail app that would not look out of place from regular iCloud authentication requests.

Soucek ensures the http-equiv tool only targets victims once by installing cookies on iDevices.

He says it is a better phishing tool than using a form directly within a HTML email because it targets only users of the iOS app and allows changes to be made to already live phishing campaigns.

His publication of the tool should not be considered malicious; white hat security bods often publish complex and refined phishing tools for professionals to use within organisations in order to shore up social engineering awareness. ®