You should be wary of password prompts that appear on Apple iPhones or iPads running the iOS 8 operating system.

The default Mail app on these devices has a vulnerability that allows an attacker to create their own pop-up password prompt. This flaw allows an attacker to create a popup that looks like a legitimate Apple password prompt for services such as iCloud. Once you enter your password, an attacker can collect and store it for later use.

To minimise the risk to users, the Mail app generally does not allow remote HTML code to run in emails. However, a security researcher has found that the app in iOS 8 ignores a particular command and opens the way for remote HTML code to run on the device. This video explains the vulnerability in more detail.

Staying safe
Apple is understood to be working on a fix for the problem, which will be released as an update in the near future.

We recommend that you automate updates to ensure that you receive them as soon as possible.

If you use the default Mail app on your iPhone or iPad, we recommend that you do not enter your password into any password prompt that appears while you are checking your email.