updated 05:55 pm EDT, Wed July 23, 2008
iPhone open to Phishing?
Security researcher Aviv Raff says the iPhone versions of Mail and Safari are vulnerable to URL spoofing, an exploit that could open the door to phishing attacks. Raff says hackers can e-mail specially-designed URL that links to a site that appears to be legitimate. A user might think it is a trusted site like Pay Pal -- but instead the bogus site steals passwords and other information when the user tries to log on. The maliciously crafted URL is (erroneously) recognized by Safari as a "trusted site."
Until Apple issues a security update, Raff says users should avoid clicking on links to trusted sites within e-mail and instead type in URLs manually. The researcher -- a frequent critic of mainstream OS and browser security -- is witholding details of the exploit until Apple delivers a fix, although information will be available to vendors of security software.
Raff also writes in a blog posting that the iPhone is "spammable," a "basic security design flaw which might already be exploited in the wild." MacNN Forum users have also noted the spam problem, which Raff says Apple has acknowledged.