Daily cyber threats and internet security news: network security, online safety and latest security alerts
July 23rd, 2008

Basic Flaws Allow Phishing And Spamming Vulnerabilities In iPhone

Security researcher Aviv Raff has discovered a pair of basic design flaws that could allow malicious phishing and spamming attacks on your iPhone. According to an advisory from Raff, the iPhone’s Mail and Safari applications are susceptible to a URL Spoofing vulnerability which allow attackers to conduct phishing attacks. iPhone Mail and Safari on firmware 1.1.4 and 2.0 are affected by this vulnerability. Earlier versions might also be affected.

By creating a specially crafted URL, and sending it via an email, an attacker can convince the user that the spoofed URL, showed in the mail application, is from a trusted domain (e.g. Bank, PayPal, Social Networks, etc.). When clicking on the URL, the Safari browser will be opened. The spoofed URL, showed in the address bar of the Safari browser, will still be viewed by the victim as if it is of a trusted domain.

According to Raff, Apple have acknowledged the vulnerability in the Mail application, and are still investigating the issue in the Safari for iPhone. Apple has also acknowledged that iPhone’s Mail application is “spammable” and that this as a security issue.

Until a fix is available, users should avoid clicking on links in the Mail application which refers to trusted web sites. Instead, a user should enter the URL of the website manually in the Safari application. iPhone users should consider stop using the Mail application until Apple fixes this issue, unless they don’t mind to be spammed.

Those security flaws might already be exploited in-the-wild. Proof-of-concept code for both vulnerabilities has reported to be available.

Share this item with others:

More on CyberInsecure:
  • Four Cross-scripting Vulnerabilities Found on Facebook Pose Serious Privacy Risk
  • Researcher Publishes Two iPhone Vulnerabilities That Apple Just Wouldn’t Patch
  • 12 Security Vulnerabilities Fixed In Apple iPhone OS 2.2 Update
  • iPhone 2.0 Unlocked Before The Release
  • SpyPhone iPhone App Can Silently Harvest And Email Personal Data

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Basic Flaws Allow Phishing And Spamming Vulnerabilities In iPhone

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.