On GameFAQs: The top 50 most popular games!
BNET Business Network:
BNET
TechRepublic
ZDNet

July 23rd, 2008

iPhone vulnerable to phishing, spamming flaws

Posted by Ryan Naraine @ 11:58 am

Categories: Patch Watch, Apple, Browsers, Vulnerability research, Responsible disclosure, Exploit code, Data theft, Passwords, Phishing, Arbitrary Code Execution, Mobile (In)Security, Malware

Tags: Apple iPhone, Apple Safari, Vulnerability, Spamming, Flaw, Aviv Raff, Phishing, Spam, Security, Spam And Phishing

Security researcher Aviv Raff (left) has discovered a pair of basic design flaws that could turn your iPhone into easy bait for malicious phishing and spamming attacks.

According to an advisory from Raff, the iPhone’s Mail and Safari applications are susceptible to a URL Spoofing vulnerability which allow attackers to conduct phishing attacks.

By creating a specially crafted URL, and sending it via an email, an attacker can convince the user that the spoofed URL, showed in the mail application, is from a trusted domain (e.g. Bank, PayPal, Social Networks, etc.).

When clicking on the URL, the Safari browser will be opened. The spoofed URL, showed in the address bar of the Safari browser, will still be viewed by the victim as if it is of a trusted domain.

[ SEE: Apple hasn’t learned from past security mistakes ]

iPhone Mail and Safari on firmware 1.1.4 and 2.0 are affected by this vulnerability.   Apple’s security team has confirmed the vulnerability.  Raff says he is withholding details until after a patch is released.  In the meantime, iPhone users should avoid clicking on links in the Mail app that refers to trusted sites.

A second vulnerability in the iPhone Mail application that could help spammers was also reported and acknowledged as a security issue by Apple.  Raff describes this as “a basic security design flaw which might already be exploited in-the-wild.”

I have seen proof-of-concept code for both vulnerabilities and can confirm that the iPhone is potentially a phisher’s/spammer’s best friend.

ALSO SEE: Apple caught neglecting iPhone security

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the world. See his full profile and disclosure of his industry affiliations.

Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

  • Talkback
  • Most Recent of 40 Talkback(s)
Microsoft Is A Security Expert???
That's a laugh. Microsoft is the reason the whole security
industry is so big and intrusive today. Has MS learned their
lessons? I hope so. But history will show that their earlier
securit... (Read the rest)
Posted by: Leland Scott Posted on: 08/12/08 You are currently: Logged In | Log out
But I was told OS X would save me from things like this. NonZealot   | 07/23/08
To be saved, you have to want to be saved... BitTwiddler   | 07/23/08
lol... good one... doh123   | 07/23/08
RE: iPhone vulnerable to phishing, spamming flaws duane@...   | 07/23/08
It's a deal NonZealot   | 07/23/08
PC FANboys say: iPhones are DANGEROUS Davewrite   | 07/23/08
Apple math Confused by religion   | 07/23/08
Got me there PC guy Davewrite   | 07/23/08
Quick we need some more apologists! tonymcs@...   | 07/23/08
of course... doh123   | 07/23/08
LOL - that was good...nt socialism=nowhere   | 07/24/08
I didn't know tikigawd   | 07/24/08
how young are you? doh123   | 07/25/08
My point was that tikigawd   | 07/25/08
... for my age, that is tikigawd   | 07/25/08
Those are boneheaded analogies, the problem is serious. TripleII   | 07/23/08
I can see it now frgough   | 08/04/08
16 wheelers??? (nt) John E Wahd   | 07/24/08
Those must be... wcb42ad   | 07/24/08
YAWN - another boring rant...nt socialism=nowhere   | 07/24/08
I think you mean.... John E Wahd   | 07/24/08
Ok, was anyone actually surprised at this? Scrat   | 07/24/08
Cause Microsoft is soooooo secure... ColDave   | 07/24/08
Not completely accurate Goblyn   | 07/24/08
Apple Is Dying!!!! Misha35   | 07/24/08
Whoah! wcb42ad   | 07/24/08
Still "reading" it - see itanal, and fr0th... socialism=nowhere   | 07/24/08
Well surprise, surprise eMJayy   | 07/24/08
Phishing attacks are not viruses or malware Leland Scott   | 07/24/08
You're kidding right? eMJayy   | 07/24/08
Weakest link cwbuechler@...   | 07/24/08
there's blame to be had zupobaloop   | 07/24/08
ahhaha are you serious? zupobaloop   | 07/24/08
"Stupidest" is not a word Leland Scott   | 07/24/08
Apple a victim of their own propoganda LDCMobile   | 07/30/08
Not kidding, and serious Leland Scott   | 07/24/08
Phishing doesn't always amount to identity theft wellery   | 07/24/08
Just a question zeolacy   | 07/24/08
What did you expect? MIKEC0X   | 08/04/08
Microsoft Is A Security Expert??? Leland Scott   | 08/12/08

What do you think?

No Trackbacks Yet

The URI to TrackBack this entry is:
http://blogs.zdnet.com/security/wp-trackback.php?p=1541

Essential Topics Click Here

advertisement

Recent Entries

advertisement

Archives

ZDNet Blogs

All-in-One Printers

advertisement
Click Here