The U.S. government warned iPhone and iPad users on Thursday to be on the alert for hackers who may exploit a vulnerability in Apple Inc's iOS operating system, which could allow them to steal data.
The potential hack, which involves using a newly identified technique known as the "Masque Attack," was confirmed in an online bulletin released by the National Cybersecurity and Communications Integration Center and the U.S. Computer Emergency Readiness Teams, according to Reuters.
Network security company, FireEye Inc, disclosed the vulnerability behind the "Masque Attack" earlier this week. The company said it had been exploited to launch a campaign called "WireLurker" and that more attacks were likely to follow.
In order for the attack to succeed, a user must install an untrusted app.
"This technique takes advantage of a security weakness that allows an untrusted app-with the same "bundle identifier" as that of a legitimate app-to replace the legitimate app on an affected device, while keeping all of the user's data," the government said in its bulletin. "This vulnerability exists because iOS does not enforce matching certificates for apps with the same bundle identifier. Apple's own iOS platform apps, such as Mobile Safari, are not vulnerable."
Hackers could possible steal login credentials, remotely monitor activity on those devices and access sensitive data stored on iOS devices, the government said, according to Reuters.
Attacks could be avoided iPhone and iPod users only installed apps from Apple's App Store or from their own organizations.
"We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software. We're not aware of any customers that have actually been affected by this attack," Apple said in an emailed statement to Reuters.
Users are advised not to click "Install" from pop-ups while surfing the web.
If iOS displays a warning that reads "Untrusted App Developer," users should click on "Don't Trust" and immediately uninstall the app, the bulletin said.
Computer security alerts issued by the government are pretty rare, and just 13 have been sent over the course of 2014. Previous vulnerabilities that have prompted alerts include Heartbleed and an SSL 3.0 flaw called "Poodle."