Researcher Publishes Two iPhone Vulnerabilities That Apple Just Wouldn’t Patch
A security expert, Aviv Raff, is advising iPhone users not to use the device’s default email application until engineers patch a design flaw that could expose users’ email addresses to spammers and other online frauds.
The warning comes two months after Aviv first reported two email-related vulnerabilities in the iPhone to Apple’s security department. Apple has updated the gadget three times since then, but has yet to fix either weakness. Late last week, after Apple refused to say when the patches might be delivered, Raff decided to publicly disclose the technical details. “I’ve asked Apple several times for a schedule, but they have refused to provide the fix date. Three versions (v2.0.1, v2.02, v2.1) have been released since I provided them with the details, and they are still “working on it”. Therefore, I’ve decided to publicly disclose the technical details”, writes Raff.
The first defect resides in Apple’s Mail application. Unlike most email clients, the program automatically downloads images embedded in HTML mail messages. That can be a problem for people who want to fly under the radar of spammers because the downloading of so-called beacon images embedded in spam and phishing messages are one technique scammers use to sort live email accounts from inactive ones.
The iPhone’s Mail application downloads all images automatically, and there is no way to disable this feature, Raff writes in his blog. “So, my only suggestion is to avoid using the Mail application until a fix is available.”
Raff disclosed details of a separate iPhone flaw that puts users at risk of visiting websites secretly under the control of miscreants. The flaw, which resides in Mail and the iPhone version of the Safari browser, truncates the names of long internet addresses, making it them appear to be friendly when in fact they are not.
For example, the link that appears to point to https://securelogin.facebook.com/ might in fact point to a website controlled by cybercriminals, http://securelogin.facebook.com.phishers-site.com/. When a user clicks on the link, Safari opens and the address bar shows only https://securelogin.facebook.com/, further making it hard for users to know they’ve been led astray.
“The problem here is that an attacker can set a long subdomain (~24 characters) that, when cut off in the middle, will look as if it’s a trusted domain,” Raff wrote.
Apple is usually slow to fix iPhone flaws so users should be extra careful when using iPhone’s Mail.
More on CyberInsecure:
Posts
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.