He had brought both vulnerabilities to Apple's attention way back in July but the company failed to address them with patches, so he had no choice but to publicly disclose the flaws.
The first flaw exists in iPhone's Mail application and its Safari web browser, which tend to truncate parts of long URLs when they're displayed. That can allow evil-doers to disguise malicious URLs without the user having a chance to view them.
"In most mail clients... you can just hover [over] the link and get a tooltip [showing] you the actual URL that you are about to click," explained Raff. "In iPhone it's a bit different. You need to click the link for a few seconds in order to get the tooltip. Now, because the iPhone screen is small, long URLs are automatically cut off in the middle."
He explained that it's possible for a blackhat to devise a long URL beginning with a trusted domain name but which actually point to an entirely different location. The Iphone user would only see the familiar-looking part of the domain name and therefore might easily be tricked into clicking on a malicious link.
Raff said iPhone Mail is also vulnerable because it automatically downloads images linked in HTML-formatted emails.
Most email client software allows users to make downloading of images require approval in each instance. Setting that option helps email users protect themselves against spammers, because spammers can learn when they've reached an active email account if the recipient opens a spam email and downloads images.
"This one is not just a trivial bug," Raff said. "It's actually a pretty dumb design flaw, which was already fixed by all other mail clients ages ago."
iPhone security flaws disclosed
By Egan Orion on Oct 5, 2008 11:26PM