October 6th, 2008

iPhone hits another security speedbump

Posted by Ryan Naraine @ 1:28 pm

Categories: Apple, Arbitrary Code Execution, Browsers, Data theft, Exploit code, Malware, Passwords, Patch Watch, Privacy, Responsible disclosure, Spam and Phishing, Spyware and Adware, Uncategorized, iPhone

Tags: Apple iPhone, Apple Inc., Image, Spamming, Spam, Security, Spam And Phishing, Ryan Naraine

Apple’s ongoing struggles with poor security-related design choices have extended to the iPhone.  According to security researcher Aviv Raff, everyone’s favorite mobile device is vulnerable to two separate security weaknesses that expose millions of users to phishing and spamming attacks.

[ SEE: Apple hasn’t learned from past security mistakes ]

Raff, a bug finder who regularly reports flaws in modern Web browsers, discovered that it’s easy to mask a link to a malicious phishing Web site because of the way the iPhone’s Mail application handles the display of links.

When the mail message is in HTML format, the text of links can be set to a different URL than the actual link. In most mail clients (e.g. on your PC / Mac), you can just hover the link and get a tooltip which will tell you the actual URL that you are about to click.

In iPhone it’s a bit different. You need to click the link for a few seconds in order to get the tooltip. Now, because the iPhone screen is small, long URLs are automatically cut off in the middle. So, instead of “hxxp://www.somedomain.com/verylongpath/verylongfilename”, you will get in the tooltip  something like “www.somedomain.com/very…ilename”.

[ SEE: Apple patches 10 iPhone security holes ]

The problem here, Raff explains, is that an attacker can set a long subdomain (~24 characters) that, when cut off in the middle, will look as if it’s a trusted domain.

The spamming bug, described by Raff as “a pretty dumb design flaw,” allows the harvesting of “live” e-mail addresses simply by sending rigged images to targets checking e-mail on iPhones.

Whenever you view an HTML mail message which contains images, a request is made to a remote server in order to get the image. Most of the mail clients today requires you to approve the download of the images. This is done for a good reason.

If the images were downloaded automatically, the spammer who controls the remote server will know that you have read the message, and will mark your mail account as active, in order to send you more spam. This “feature” is also known as “Web Bug”

The iPhone’s Mail application downloads all images automatically, and there is NO WAY to disable this feature!

[ SEE: Apple caught neglecting iPhone security ]

Raff said he provided details of these issues to Apple more than two month ago.

I’ve asked Apple several times for a schedule, but they have refused to provide the fix date. Three versions (v2.0.1, v2.02, v2.1) have been released since I provided them with the details, and they are still “working on it”. Therefore, I’ve decided to publicly disclose the technical details.

Separately, there’s an unpatched SMS privacy hole when the iPhone is placed in emergency call mode.

Apple is notoriously slow to fix iPhone flaws so if you’re nervous about these risks, you should be very careful when using Mail on the device.