Apple has changed its SMS autofill format to a newer secure one in order to block phishing attacks. Both iOS and macOS support a feature that allows two-factor authentication codes sent via SMS to be auto-populated in fields in apps and browsers.
This feature would parse the two-factor authentication code from an SMS, but it was being abused by phishing attacks. Fake links could trick people into auto-filling a two-factor authentication code in the wrong place, which could provide private data access to hackers.
Apple’s new format for blocking SMS autofill phishing attacks
As noted by Macworld, here is the change in the SMS formats. The older one looked like this:
Your Apple ID Code is 123456. Don’t share it with anyone.
The newer format looks like this:
Your Apple ID Code is: 123456. Don’t share it with anyone. @apple.com #123456 %apple.com
The newer SMS format specifically mentions the domain of the websites where the two-factor authentication code can be used, so a fake phishing website cannot receive a code that is meant for an actual website. The code is also repeated again after the domain, with a hashtag this time. If the website uses an iframe, the source URL of the iframe is mentioned after a % symbol.
As announced back in August 2020, the spec suggests using @ for iframe URLs, but Apple has opted for the % sign, probably to differentiate it from the domain.
It is important to note that this change is a proposal by Apple and is yet to be implemented in iOS 15 and macOS 12.3. If implemented, it will protect against phishing attacks, but it is important to remember that SMS is still not a secure medium.
It is recommended to always opt for 2FA code generators, which are available via many third-party apps, and even built into Apple’s own password manager in iOS and macOS now.
