iPhone vulnerable to phishing, spamming flaws

Summary:Security researcher Aviv Raff (left) has discovered a pair of basic design flaws that could turn your iPhone into easy bait for malicious phishing and spamming attacks.According to an advisory from Raff, the iPhone's Mail and Safari applications are susceptible to a URL Spoofing vulnerability which allow attackers to conduct phishing attacks.

Security researcher Aviv Raff (left) has discovered a pair of basic design flaws that could turn your iPhone into easy bait for malicious phishing and spamming attacks.

According to an advisory from Raff, the iPhone's Mail and Safari applications are susceptible to a URL Spoofing vulnerability which allow attackers to conduct phishing attacks.

By creating a specially crafted URL, and sending it via an email, an attacker can convince the user that the spoofed URL, showed in the mail application, is from a trusted domain (e.g. Bank, PayPal, Social Networks, etc.).

When clicking on the URL, the Safari browser will be opened. The spoofed URL, showed in the address bar of the Safari browser, will still be viewed by the victim as if it is of a trusted domain.

[ SEE: Apple hasn’t learned from past security mistakes ]

iPhone Mail and Safari on firmware 1.1.4 and 2.0 are affected by this vulnerability.   Apple's security team has confirmed the vulnerability.  Raff says he is withholding details until after a patch is released.  In the meantime, iPhone users should avoid clicking on links in the Mail app that refers to trusted sites.

A second vulnerability in the iPhone Mail application that could help spammers was also reported and acknowledged as a security issue by Apple.  Raff describes this as "a basic security design flaw which might already be exploited in-the-wild."

I have seen proof-of-concept code for both vulnerabilities and can confirm that the iPhone is potentially a phisher's/spammer's best friend.

ALSO SEE: Apple caught neglecting iPhone security

Topics: iPhone, Apple, Mobility, Operating Systems, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.