iPhone security flaws disclosed

By

Security researcher Aviv Raff disclosed two iPhone security flaws Thursday that could allow attackers to trick people into unknowingly surfing to malicious destinations.

iPhone security flaws disclosed
He had brought both vulnerabilities to Apple's attention way back in July but the company failed to address them with patches, so he had no choice but to publicly disclose the flaws.

The first flaw exists in iPhone's Mail application and its Safari web browser, which tend to truncate parts of long URLs when they're displayed. That can allow evil-doers to disguise malicious URLs without the user having a chance to view them.

"In most mail clients... you can just hover [over] the link and get a tooltip [showing] you the actual URL that you are about to click," explained Raff. "In iPhone it's a bit different. You need to click the link for a few seconds in order to get the tooltip. Now, because the iPhone screen is small, long URLs are automatically cut off in the middle."

He explained that it's possible for a blackhat to devise a long URL beginning with a trusted domain name but which actually point to an entirely different location. The Iphone user would only see the familiar-looking part of the domain name and therefore might easily be tricked into clicking on a malicious link.

Raff said iPhone Mail is also vulnerable because it automatically downloads images linked in HTML-formatted emails.

Most email client software allows users to make downloading of images require approval in each instance. Setting that option helps email users protect themselves against spammers, because spammers can learn when they've reached an active email account if the recipient opens a spam email and downloads images.

"This one is not just a trivial bug," Raff said. "It's actually a pretty dumb design flaw, which was already fixed by all other mail clients ages ago."
Got a news tip for our journalists? Share it with us anonymously here.
theinquirer.net (c) 2010 Incisive Media
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Victoria's Secret pulls down website amid security incident

Victoria's Secret pulls down website amid security incident

Log In

  |  Forgot your password?