Security researcher Jan Soucek discovered an iOS Mail bug a while back that allows attackers to run remote HTML code when an email is opened. What this means is that a malicious user who knows about the bug could create a phishing email that prompts users for their iCloud login. Once the login has been entered, the unsuspecting victim has handed over the keys to everything secured with Apple ID credentials. Here’s Soucek’s demonstration video of the bug in action:
The only way to skirt this issue right now is to be vigilant. If you’re reading mail on your iOS device and a popup asks you to log into a system — iCloud or other — don’t. The bug was initially filed with Apple in January, but the company has not yet fixed this problem. To force the issue and get things fixed as soon as possible, Soucek uploaded the proof of concept code to GitHub.
So once again: if you’re reading mail in the iOS Mail app and you’re asked to log into any system, wait until you’re prompted when you’re out of Mail to be safe. Alternatively, log back into the system through other means, such as Settings.