On mySimon: Michael Jackson's: This Is It
BNET Business Network:
BNET
TechRepublic
ZDNet

September 30th, 2009

RIM plugs BlackBerry phishing hole

Posted by Ryan Naraine @ 5:48 am

Categories: Browsers, Complex Attacks, Data theft, Hackers, Locally Running Web Servers, Mobile (In)Security, Passwords, Patch Watch, Phishing

Tags: Research In Motion Ltd., RIM BlackBerry, Phishing, Device User, Handhelds, Hardware, Ryan Naraine

Research in Motion (RIM) has shipped a fix for a serious security vulnerability that exposes BlackBerry users to phishing attacks.

The certificate handling vulnerability, which carries a CVSS severity score of 6.8, affects all versions of the BlackBerry device software.  The flaw allows malicious hackers to trick BlackBerry device users into connecting to an attacker-controlled Web site, RIM warned in an advisory.

Here’s the crux of the problem:

A malicious user could create a web site that includes a certificate that is purposely altered using null (hidden) characters in the certificate’s Common Name (CN) field or otherwise manipulated to deceive a BlackBerry device user into believing they have connected to a trusted web site.

If the malicious user then performs a phishing-style attack by sending the BlackBerry device user a link to the web site in an SMS or email message that appears to be from a trusted source, and the BlackBerry device user chooses to access that site, the BlackBerry Browser will correctly detect the mismatch between the certificate and the domain name and display a dialog box that prompts the user to close the connection. However, the dialog box does not display null characters, so the user may believe they are connecting to a trusted site and disregard the recommended action to close the connection.

This screenshot provided by RIM shows an example of a BlackBerry Browser dialog box that does not clearly indicate that there is a mismatch between the web server address and its associated certificate:

BlackBerry users are urged to download and apply the patch the BlackBerry Device Software as soon as possible.

In the meantime, RIM recommends that BlackBerry device users exercise caution when clicking on links that they receive in email or SMS messages.

“If a user visits a site that causes a BlackBerry Browser dialog box to warn the user about continuing the connection, the user should select Close connection,” the company said.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 3 Talkback(s)
Ryan, You've given incomplete Information!
It seems the patch is not available for download just yet! Read this post from Berryreview.com from yesterday - it has some great info in it for added understanding on this issue:
-----------------... (Read the rest)
Posted by: blc1839 Posted on: 09/30/09 You are currently: a Guest | | Terms of Use
Software version  ChrisDTC | 09/30/09
Useless  cj100570@... | 09/30/09
Ryan, You've given incomplete Information!  blc1839 | 09/30/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement
Click Here

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here