July 23rd, 2008

iPhone vulnerable to phishing, spamming flaws

Posted by Ryan Naraine @ 11:58 am

Categories: Apple, Arbitrary Code Execution, Browsers, Data theft, Exploit code, Malware, Mobile (In)Security, Passwords, Patch Watch, Phishing, Responsible disclosure, Vulnerability research

Tags: Apple iPhone, Apple Safari, Vulnerability, Spamming, Flaw, Aviv Raff, Phishing, Spam, Security, Spam And Phishing

Security researcher Aviv Raff (left) has discovered a pair of basic design flaws that could turn your iPhone into easy bait for malicious phishing and spamming attacks.

According to an advisory from Raff, the iPhone’s Mail and Safari applications are susceptible to a URL Spoofing vulnerability which allow attackers to conduct phishing attacks.

By creating a specially crafted URL, and sending it via an email, an attacker can convince the user that the spoofed URL, showed in the mail application, is from a trusted domain (e.g. Bank, PayPal, Social Networks, etc.).

When clicking on the URL, the Safari browser will be opened. The spoofed URL, showed in the address bar of the Safari browser, will still be viewed by the victim as if it is of a trusted domain.

[ SEE: Apple hasn’t learned from past security mistakes ]

iPhone Mail and Safari on firmware 1.1.4 and 2.0 are affected by this vulnerability.   Apple’s security team has confirmed the vulnerability.  Raff says he is withholding details until after a patch is released.  In the meantime, iPhone users should avoid clicking on links in the Mail app that refers to trusted sites.

A second vulnerability in the iPhone Mail application that could help spammers was also reported and acknowledged as a security issue by Apple.  Raff describes this as “a basic security design flaw which might already be exploited in-the-wild.”

I have seen proof-of-concept code for both vulnerabilities and can confirm that the iPhone is potentially a phisher’s/spammer’s best friend.

ALSO SEE: Apple caught neglecting iPhone security