iPhone vulnerable to phishing, spamming flaws

iPhone vulnerable to phishing, spamming flaws

Summary: Security researcher Aviv Raff (left) has discovered a pair of basic design flaws that could turn your iPhone into easy bait for malicious phishing and spamming attacks.According to an advisory from Raff, the iPhone's Mail and Safari applications are susceptible to a URL Spoofing vulnerability which allow attackers to conduct phishing attacks.

SHARE:

Security researcher Aviv Raff (left) has discovered a pair of basic design flaws that could turn your iPhone into easy bait for malicious phishing and spamming attacks.

According to an advisory from Raff, the iPhone's Mail and Safari applications are susceptible to a URL Spoofing vulnerability which allow attackers to conduct phishing attacks.

By creating a specially crafted URL, and sending it via an email, an attacker can convince the user that the spoofed URL, showed in the mail application, is from a trusted domain (e.g. Bank, PayPal, Social Networks, etc.).

When clicking on the URL, the Safari browser will be opened. The spoofed URL, showed in the address bar of the Safari browser, will still be viewed by the victim as if it is of a trusted domain.

[ SEE: Apple hasn’t learned from past security mistakes ]

iPhone Mail and Safari on firmware 1.1.4 and 2.0 are affected by this vulnerability.   Apple's security team has confirmed the vulnerability.  Raff says he is withholding details until after a patch is released.  In the meantime, iPhone users should avoid clicking on links in the Mail app that refers to trusted sites.

A second vulnerability in the iPhone Mail application that could help spammers was also reported and acknowledged as a security issue by Apple.  Raff describes this as "a basic security design flaw which might already be exploited in-the-wild."

I have seen proof-of-concept code for both vulnerabilities and can confirm that the iPhone is potentially a phisher's/spammer's best friend.

ALSO SEE: Apple caught neglecting iPhone security

Topics: iPhone, Apple, Mobility, Operating Systems, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

41 comments
Log in or register to join the discussion
  • But I was told OS X would save me from things like this.

    [i]In the meantime, iPhone users should avoid clicking on links in the Mail app that refers to trusted sites.[/i]

    So if my mom sends me a link to a web album, I shouldn't open it for fear that it might steal my banking information? I moved away from Windows because I can't resist the urge to click on every link and run every attachment that gets emailed to me and Jobs promised me that all my security concerns would be a thing of the past if I simply moved to OS X. I gave up voice dialing, copy and paste, and had resigned myself to using a device as big, bulky, and heavy as the iPhone based on the promise that I could continue to click at will and suffer no consequences. I might as well go back to WindowsMobile where I still have to be careful what I click on but at least I get a fully functioning device! Anyone want to buy an iPhone?
    NonZealot
    • To be saved, you have to want to be saved...

      ...
      BitTwiddler
    • lol... good one...

      that is so funny.... whats the name of the anti-Mike Cox... oh wait, it is you!

      fully functioning... lol... that's great
      doh123
  • RE: iPhone vulnerable to phishing, spamming flaws

    Yes, I want your iPhone. I need 5 for a clients web app and
    used ones are selling for $400 on eBay. Someone must see
    some value in them over Windows mobile :-).

    I will trade you a couple of Treos for it. I can't get even $50
    on eBay for them.
    duane@...
    • It's a deal

      I just need your bank account info and your SIN. Actually, don't bother, I'll just get it from your iPhone. ;)
      NonZealot
  • PC FANboys say: iPhones are DANGEROUS

    PC FANboys warn:

    1)If you play monkeyball while driving on the express-way
    you might run into oncoming 16 wheelers and kill yourself

    2) If you drop 50 running iphones into the water while you
    are having a bath you may electrocute yourself

    3) If you microwave an iPhone with your dinner you might
    cause an explosion

    4) If you show too much enjoyment with your iPhone while
    near a PC convention where they are discussing how to
    solve Vista headaches you might be beat up by irate PC
    users

    5) If you drop an iPhone from the top floor of the sears
    tower you might hurt somebody

    6) If you ignore the warnings from every major bank telling
    clients they don't send emails asking for Passwords and
    you give your PIN number and password to phishing email
    on your iphone you might lose money

    So PC fanboys say "Please don't buy iPhones (and any
    Apple products). They are malicious and dangerous to your
    health! See I told you Apple makes horrible products"

    ------
    Davewrite
    • Apple math

      Number one is just too easy a shot - anyone else want to take a cheap crack at this one?

      No?

      Okay, here goes. Anyone who drives head-on into a "16" wheeler is obviously living in an Apple fanboi's world where leaving stuff out is commonplace. See Apple vs. PC commercials.

      So, where are the other two tires hiding, eh?
      Confused by religion
      • Got me there PC guy

        :)
        Davewrite
    • Quick we need some more apologists!

      If you bothered to read any of the rational criticisms of the iPhone - too little, too late - then you wouldn't have bought one anyway, so the latest screwups with it wouldn't be bothering you.

      You would also have had all the features of the iPhone 3 years ago - pity you never used a smartphone,

      Just bow to the Church of Apple with Steve Jobs as its prophet and repeat style and marketing are much more important than substance and whatever you do don't read The Emperor's New Clothes.
      tonymcs@...
      • of course...

        and why buy calculators to math... people had access to all those features with an abacus for hundreds of years!
        doh123
        • LOL - that was good...nt

          nt
          ItsTheBottomLine
        • I didn't know

          abacuses (abacii?) could do trig and graph functions. Dang it!
          tikigawd
          • how young are you?

            how young are you? Calculators existed a long time before they could do anything like that... but the principle still applies. You can do that stuff without the calculator and get the same results. Saying its already been done, or that you can get the same result on another device or by another method, isn't a valid criticism... none of this stuff is actually needed, things got done fine before... there is more to it than just the end result.
            doh123
          • My point was that

            comparing a calculator to an abacus is a ridiculous analogy.
            If anything, if you truly think the iPhone improves on things other smart phones did already, compare a plain calculator to a graphical calculator.

            BTW, I'm 5. I'm really smart
            tikigawd
          • ... for my age, that is

            I think you're smarter than me becasue you're older.

            Can I be your friend?
            tikigawd
    • Those are boneheaded analogies, the problem is serious.

      Trust me, I am not a PC fanboy (assuming you are slamming anyone who uses Windows right?).

      Did you even read the article. It is bad enough that in the email, you [B]DON'T SEE THE REAL DESTINATION[/B] but [B]ALSO[/B] even if the user were to look at the browser url, [B]IT IS SPOOFED TOO[/B]

      You know what, the INSTANT a flaw like this shows up on FF/TBird combo, I am using other applications until it is fixed. It makes one wonder if manually typing in PayPal.com with auto complete can lead you to a spoofed site (especially with DNS poisoning).

      Love your iPhone, love Apple, surround yourself in Apples, but don't spew forth unprovoked FUD because you saw a headline you didn't like.

      TripleII
      TripleII-21189418044173169409978279405827
      • I can see it now

        Alert! Alert! Alert!

        Your bank password needs change or you are in risk. Log into
        our secure bank site now and enter your password change
        information or access to your account may be suspeneded. We
        are not responsibel for suspeneded accounts. Change your
        password now by clicking at the link below.


        Yep, the Apple flaw is deadly because there is absolutely no
        way to tell if an email is suspicious.
        frgough
    • 16 wheelers??? (nt)

      nt
      Hallowed are the Ori
      • Those must be...

        the new Apple 16 wheelers - 'cleaner' look, less functional, but they cost twice as much as their 18 wheel counterparts and can only be driven on certain Apple-friendly (proprietary) roads.

        Oh yeah, and you can't check your email on those either for now.
        wcb42ad
    • YAWN - another boring rant...nt

      nt
      ItsTheBottomLine