ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

iPhone vulnerable to phishing, spamming flaws

By | July 23, 2008, 11:58am PDT

Summary: Security researcher Aviv Raff (left) has discovered a pair of basic design flaws that could turn your iPhone into easy bait for malicious phishing and spamming attacks. According to an advisory from Raff, the iPhone’s Mail and Safari applications are susceptible to a URL Spoofing vulnerability which allow attackers to conduct phishing attacks. By creating a specially [...]

Security researcher Aviv Raff (left) has discovered a pair of basic design flaws that could turn your iPhone into easy bait for malicious phishing and spamming attacks.

According to an advisory from Raff, the iPhone’s Mail and Safari applications are susceptible to a URL Spoofing vulnerability which allow attackers to conduct phishing attacks.

By creating a specially crafted URL, and sending it via an email, an attacker can convince the user that the spoofed URL, showed in the mail application, is from a trusted domain (e.g. Bank, PayPal, Social Networks, etc.).

When clicking on the URL, the Safari browser will be opened. The spoofed URL, showed in the address bar of the Safari browser, will still be viewed by the victim as if it is of a trusted domain.

[ SEE: Apple hasn’t learned from past security mistakes ]

iPhone Mail and Safari on firmware 1.1.4 and 2.0 are affected by this vulnerability.   Apple’s security team has confirmed the vulnerability.  Raff says he is withholding details until after a patch is released.  In the meantime, iPhone users should avoid clicking on links in the Mail app that refers to trusted sites.

A second vulnerability in the iPhone Mail application that could help spammers was also reported and acknowledged as a security issue by Apple.  Raff describes this as “a basic security design flaw which might already be exploited in-the-wild.”

I have seen proof-of-concept code for both vulnerabilities and can confirm that the iPhone is potentially a phisher’s/spammer’s best friend.

ALSO SEE: Apple caught neglecting iPhone security

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Apple iPhone, Apple Safari, Vulnerability, Spamming, Flaw, Aviv Raff, Phishing, Spam, Security, Spam And Phishing, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
42
Comments
Add Your Opinion

Join the conversation!

Just In

RE: iPhone vulnerable to phishing, spamming flaws
lovedong 13th Sep
hmmmm,nice post i like you post replica watches
View in thread
0 Votes
+ -
But I was told OS X would save me from things like this.
NonZealot Updated - 23rd Jul 2008
In the meantime, iPhone users should avoid clicking on links in the Mail app that refers to trusted sites.

So if my mom sends me a link to a web album, I shouldn't open it for fear that it might steal my banking information? I moved away from Windows because I can't resist the urge to click on every link and run every attachment that gets emailed to me and Jobs promised me that all my security concerns would be a thing of the past if I simply moved to OS X. I gave up voice dialing, copy and paste, and had resigned myself to using a device as big, bulky, and heavy as the iPhone based on the promise that I could continue to click at will and suffer no consequences. I might as well go back to WindowsMobile where I still have to be careful what I click on but at least I get a fully functioning device! Anyone want to buy an iPhone?
0 Votes
+ -
To be saved, you have to want to be saved...
BitTwiddler 23rd Jul 2008
...
0 Votes
+ -
lol... good one...
doh123 23rd Jul 2008
that is so funny.... whats the name of the anti-Mike Cox... oh wait, it is you!

fully functioning... lol... that's great
0 Votes
+ -
RE: iPhone vulnerable to phishing, spamming flaws
lovedong 13th Sep
hmmmm,nice post i like you post replica watches
0 Votes
+ -
RE: iPhone vulnerable to phishing, spamming flaws
duane@... 23rd Jul 2008
Yes, I want your iPhone. I need 5 for a clients web app and
used ones are selling for $400 on eBay. Someone must see
some value in them over Windows mobile happy.

I will trade you a couple of Treos for it. I can't get even $50
on eBay for them.
0 Votes
+ -
It's a deal
NonZealot 23rd Jul 2008
I just need your bank account info and your SIN. Actually, don't bother, I'll just get it from your iPhone. wink
0 Votes
+ -
PC FANboys say: iPhones are DANGEROUS
Davewrite 23rd Jul 2008
PC FANboys warn:

1)If you play monkeyball while driving on the express-way
you might run into oncoming 16 wheelers and kill yourself

2) If you drop 50 running iphones into the water while you
are having a bath you may electrocute yourself

3) If you microwave an iPhone with your dinner you might
cause an explosion

4) If you show too much enjoyment with your iPhone while
near a PC convention where they are discussing how to
solve Vista headaches you might be beat up by irate PC
users

5) If you drop an iPhone from the top floor of the sears
tower you might hurt somebody

6) If you ignore the warnings from every major bank telling
clients they don't send emails asking for Passwords and
you give your PIN number and password to phishing email
on your iphone you might lose money

So PC fanboys say "Please don't buy iPhones (and any
Apple products). They are malicious and dangerous to your
health! See I told you Apple makes horrible products"

------
0 Votes
+ -
Apple math
Confused by religion 23rd Jul 2008
Number one is just too easy a shot - anyone else want to take a cheap crack at this one?

No?

Okay, here goes. Anyone who drives head-on into a "16" wheeler is obviously living in an Apple fanboi's world where leaving stuff out is commonplace. See Apple vs. PC commercials.

So, where are the other two tires hiding, eh?
0 Votes
+ -
Got me there PC guy
Davewrite 23rd Jul 2008
happy
0 Votes
+ -
Quick we need some more apologists!
tonymcs@... 23rd Jul 2008
If you bothered to read any of the rational criticisms of the iPhone - too little, too late - then you wouldn't have bought one anyway, so the latest screwups with it wouldn't be bothering you.

You would also have had all the features of the iPhone 3 years ago - pity you never used a smartphone,

Just bow to the Church of Apple with Steve Jobs as its prophet and repeat style and marketing are much more important than substance and whatever you do don't read The Emperor's New Clothes.
0 Votes
+ -
of course...
doh123 23rd Jul 2008
and why buy calculators to math... people had access to all those features with an abacus for hundreds of years!
0 Votes
+ -
LOL - that was good...nt
ItsTheBottomLine 24th Jul 2008
nt
0 Votes
+ -
I didn't know
tikigawd 24th Jul 2008
abacuses (abacii?) could do trig and graph functions. Dang it!
0 Votes
+ -
how young are you?
doh123 25th Jul 2008
how young are you? Calculators existed a long time before they could do anything like that... but the principle still applies. You can do that stuff without the calculator and get the same results. Saying its already been done, or that you can get the same result on another device or by another method, isn't a valid criticism... none of this stuff is actually needed, things got done fine before... there is more to it than just the end result.
0 Votes
+ -
My point was that
tikigawd 25th Jul 2008
comparing a calculator to an abacus is a ridiculous analogy.
If anything, if you truly think the iPhone improves on things other smart phones did already, compare a plain calculator to a graphical calculator.

BTW, I'm 5. I'm really smart
0 Votes
+ -
... for my age, that is
tikigawd 25th Jul 2008
I think you're smarter than me becasue you're older.

Can I be your friend?
0 Votes
+ -
Those are boneheaded analogies, the problem is serious.
TripleII-21189418044173169409978279405827 Updated - 23rd Jul 2008
Trust me, I am not a PC fanboy (assuming you are slamming anyone who uses Windows right?).

Did you even read the article. It is bad enough that in the email, you DON'T SEE THE REAL DESTINATION but ALSO even if the user were to look at the browser url, IT IS SPOOFED TOO

You know what, the INSTANT a flaw like this shows up on FF/TBird combo, I am using other applications until it is fixed. It makes one wonder if manually typing in PayPal.com with auto complete can lead you to a spoofed site (especially with DNS poisoning).

Love your iPhone, love Apple, surround yourself in Apples, but don't spew forth unprovoked FUD because you saw a headline you didn't like.

TripleII
0 Votes
+ -
I can see it now
frgough 4th Aug 2008
Alert! Alert! Alert!

Your bank password needs change or you are in risk. Log into
our secure bank site now and enter your password change
information or access to your account may be suspeneded. We
are not responsibel for suspeneded accounts. Change your
password now by clicking at the link below.


Yep, the Apple flaw is deadly because there is absolutely no
way to tell if an email is suspicious.
0 Votes
+ -
16 wheelers??? (nt)
Hallowed are the Ori 24th Jul 2008
nt
0 Votes
+ -
Those must be...
wcb42ad 24th Jul 2008
the new Apple 16 wheelers - 'cleaner' look, less functional, but they cost twice as much as their 18 wheel counterparts and can only be driven on certain Apple-friendly (proprietary) roads.

Oh yeah, and you can't check your email on those either for now.
0 Votes
+ -
YAWN - another boring rant...nt
ItsTheBottomLine 24th Jul 2008
nt
0 Votes
+ -
I think you mean....
Hallowed are the Ori 24th Jul 2008
iRant.
0 Votes
+ -
Vista problems??
ditkazbearz 24th Nov 2008
Can you list them?
SP1 took care of all of mine happy
0 Votes
+ -
Ok, was anyone actually surprised at this?
Scrat 24th Jul 2008
iPhone is shown to be insecure (like other "quality" Apple products such as QT, Safari etc.)

It's almost as surprising as:

SHOCK, HORROR.....DOG BARKS
0 Votes
+ -
Cause Microsoft is soooooo secure...
ColDave 24th Jul 2008
I love these Apple bashers when Microsoft is the BIGGEST manufacturer of security and application flaws IN THE WORLD. I live, work and am certified in Microsoft products and I used to have the 2G iPhone. Before that I had the BlackJack. So I have used "SmartPhones" as well. I hacked and jailbroke every phone I've ever had. I am also a SMART user. Smart users don't get spoofed or exploited. Data drives everything. Security protects it. If you are knowledgeable of how they tie into each other this and most other security flaws wont affect you.

Simple..
0 Votes
+ -
Not completely accurate
Goblyn 24th Jul 2008
To say that "Microsoft is the BIGGEST manufacturer of security and application flaws IN THE WORLD" isnt quite true. To be a fair comparison, you would need an equal amount of people attempting to exploit all the operating systems with relatively equal skills. It is safe to say that, because MS has a 95% market share in the operating system market, most hacking efforts target Microsoft, and therefore its flaws and vulnerabilites, due to the law of averages, completely outnumbers other operating systems flaws. If Apple were able to caputre more marketshare, you would see more flaws with Apple's operating systems.

Hate tha game, not tha playahs.
0 Votes
+ -
Apple Is Dying!!!!
Misha35 24th Jul 2008
Again!
0 Votes
+ -
Whoah!
wcb42ad 24th Jul 2008
You mean Apple is dying too?? No way!! What a coincidence! We've been hearing that about Windows for years now as well.
0 Votes
+ -
Still "reading" it - see itanal, and fr0th...
ItsTheBottomLine 24th Jul 2008
they are funny to read.
0 Votes
+ -
Well surprise, surprise
eMJayy 24th Jul 2008
There's a critical flaw...but is it really that surprising?...

This is what results when a company becomes overconfident when it comes to security. Software can only be said to be secure when all have tried and failed to break it. Apple has made grand claims about its security despite being among the least tested in the field. It's like building a wooden house without using nails - it all comes crashing down on your head with the slightest breeze.
0 Votes
+ -
Phishing attacks are not viruses or malware
Leland Scott 24th Jul 2008
Phishing scams are very bad, but they are not the same as
viruses or malware that gets installed on your operating
system. Not even in the same category. They are simply a
sophisticated con, and unfortunately there are a lot of
naive, clueless web users who will click on any link they're
offered. Then again, I know people who are so paranoid
they won't click on any link in an email at all... even if it
comes from a trusted source (like a friend). I'm not at all
convinced that anti-phishing software will work any better
than junk-mail filters have, though I understand the need
to try.

All you guys who are so hot to jump on Apple need to at
least know what you're talking about. Though the
companies who make money on security vulnerabilities
like to lump phishing in with "security" flaws, in my opinion
they aren't. Why? Because they pose no threat to the
integrity of your computer or to your network.
0 Votes
+ -
You're kidding right?
eMJayy Updated - 24th Jul 2008
Phishing vulnerability is a security vulnerability of the worst kind - there are potentially real-world consequences to your bank accounts in particular, and to financial institutions in general. Malware and viruses are bothersome most times; but what make them dangerous is the ability to gather critical information that can be used against your will..and that's what phishing is ALL about..I guess, to you, losing sole possession of your banking info, social security number and IDENTITY is merely bothersome?
0 Votes
+ -
Weakest link
cwbuechler@... 24th Jul 2008
While i admit that there is a problem when a browser can
be fooled this vulnerability still plays to the weakest link in
security -- the end user.

People need to take some responsibility for protecting
themselves. Neither MIcrosoft nor Apple are flawless, but if
you still think your bank or ebay will send an email
requesting your login information I am a lawyer
representing a client in South Africa who want to funnel
$10 million USD through your bank.

Wake up and stop blaming a manufacturer for people's
blatant stupidity. Yeah it should have never gone out the
way it did, but it is a mistake that will be fixed.
0 Votes
+ -
there's blame to be had
zupobaloop 24th Jul 2008
I know you're not serious. After all, from the sounds of it you've used ebay, or paypal, or any such site. They all grant as the best end-user protection from fraud is to check the URL, and retype it manually. Granted these spamming and phishing scams would be foiled by retyping the URL, they would not be simply by checking the address bar.

Did you read the article?
0 Votes
+ -
ahhaha are you serious?
zupobaloop 24th Jul 2008
That's the stupidest thing I've ever heard. Seriously, I was going down the posts and didn't see one stupid mac-head response, until I came to this.

People aren't phishing to find out your favorite color... It's to get you to download a virus or give up information. That's not a threat?
0 Votes
+ -
"Stupidest" is not a word
Leland Scott 24th Jul 2008
Do you have to be a "mac-head" to think for yourself these
days? Try reading my message again, and maybe you'll have
better luck understanding my argument.
0 Votes
+ -
Apple a victim of their own propoganda
LDCMobile 30th Jul 2008
The problem is Apple does a piss poor job of educating users about phishing, malware, worms, and viruses. Most of the hype about Mac OS is how either invulnerable the OS is to attacks or that attacks simply aren't created for their platform.

Users are lulled into the notion of "it just works" when in reality users need to have due diligence when web browsing
0 Votes
+ -
Not kidding, and serious
Leland Scott 24th Jul 2008
Of course it's bothersome... on the same plane as the
scum who trick old ladies out of their social security
checks by conning them into some phony investment.

Phishing is more insidious, but if you have an ounce of
common sense, it's easily avoided.

Not so with viruses and spyware, which can invade your
system without any action on your part... not even clicking
on a link. If following a link loads a virus, that's not
phishing, defined as [blockquote] the activity of defrauding
an online account holder of financial information by posing
as a legitimate company[/blockquote].

My point is, phishing is not so much a security liability as it
is a privacy issue... Phishing amounts to identity theft.

I'm not arguing that phishing isn't a serious concern that
needs to be addressed. But I'm saying it's not a security
issues in that it doesn't install software on your system,
invade your network, or propagate itself to others.

I am arguing that it's more like spam, which is likewise a
serious problem that can lead individuals to dangerous
websites or tempt them into bad decisions. Like spam, I'm
doubtful that any software solution to eradicate phishing is
possible.

In this light, the urgency to correct a phishing vulnerability
is much lower than that to correct a security vulnerability,
and the fact that such a vulnerability exists should not
alarm users to the same degree.
0 Votes
+ -
Phishing doesn't always amount to identity theft
2max67 24th Jul 2008
Phishing is only about fooling someone into clicking a link. Sometimes it may contain a form which you enter details, other times it may be malware, virus, or just to login to their bank and steal their money. The point is it's not just fooling someone into getting their personal details.
0 Votes
+ -
Just a question
zeolacy 24th Jul 2008
What if the company you work for has some sort of intranet and the phishers get the layout of the login pages?
0 Votes
+ -
What did you expect?
MIKEC0X 4th Aug 2008
Just as I was about to dig into the Oysters Rothschild braised
in frenchwine and scallions, my rep and FSB brought this very
thing up. We talked about it and concluded that only
Microsoft has any clue on how to do security right!
http://fakesteveballmer.blogspot.com
Apple is and shall ever be a wannabe company!
0 Votes
+ -
Microsoft Is A Security Expert???
Leland Scott 12th Aug 2008
That's a laugh. Microsoft is the reason the whole security
industry is so big and intrusive today. Has MS learned their
lessons? I hope so. But history will show that their earlier
security lapses has resulted in huge wastes of resources
and dollars to both businesses and consumers.

You want to trust Microsoft for security, go right ahead.
They sure have a good track record. wink

Yes, they're very good at releasing patches by the
boatload. But doesn't that speak more to the insecure
nature of the beast, as well as their long experience at
doing so? Problem is, IT guys now believe that the way MS
operates is the inevitable approach.

No, it's just the approach that's become necessary because
of Microsoft's prior ignorance about security in Windows,
MS Office, and IE.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix