AAPL Stock: 118.03 ( -0.85 )

Printed from

iPhone has phishing, spamming flaws

updated 05:55 pm EDT, Wed July 23, 2008

iPhone open to Phishing?

Security researcher Aviv Raff says the iPhone versions of Mail and Safari are vulnerable to URL spoofing, an exploit that could open the door to phishing attacks. Raff says hackers can e-mail specially-designed URL that links to a site that appears to be legitimate. A user might think it is a trusted site like Pay Pal -- but instead the bogus site steals passwords and other information when the user tries to log on. The maliciously crafted URL is (erroneously) recognized by Safari as a "trusted site."

Until Apple issues a security update, Raff says users should avoid clicking on links to trusted sites within e-mail and instead type in URLs manually. The researcher -- a frequent critic of mainstream OS and browser security -- is witholding details of the exploit until Apple delivers a fix, although information will be available to vendors of security software.

Raff also writes in a blog posting that the iPhone is "spammable," a "basic security design flaw which might already be exploited in the wild." MacNN Forum users have also noted the spam problem, which Raff says Apple has acknowledged.

by MacNN Staff



  1. WaltFrench

    Joined: Dec 1969


    Bad reporting or advice?

    The maliciously crafted URL is (erroneously) recognized by Safari as a "trusted site."

    Odd, the notion of a "trusted site" seems to be a Windows construct. Safari uses certificates and other sources to verify the authenticity of sites, but not this one.

    So while Safari may not warn you that an untrusted site is linking to a trusted site (the bane of my Windows browsing at work because Microsoft's ad server is "trusted," so auto-refresh pages pop up requests every minute or two asking whether it's OK to link), it also does not in any way suggest that a malicious site is "trusted."

    Bad reporting or bad security advice. Which is worse?

  1. jhawk95

    Joined: Dec 1969


    This jsut in.....

    We now interrupt this regularly scheduled program to alert you about this item that just came in.....People who click on a link sent to them by a complete stranger via their email (or even a friend for that matter) to connect them to their bank's website might lose all of their money in that account due to fraud / theft!OMG! Are people still that fracking stupid? NEVER click on ANY link to get to a site that you are going to put a password in and that is linked to anything about your financial issues. Even if your REAL bank or someone sends you an email stating your statement is now ready. Close the email and use the link you have book marked or manually type the address to get there.If you do this, you will NEVER have to worry about these so-called scams which only affect lazy netizens.

  1. testudo

    Joined: Dec 1969


    Re: bad reporting

    It all depends on what the actual 'exploit' is. The problem is that he is very unclear on how you think it is a trusted site. It may be just that the link looks like "" in the email, but when you click on it, it goes to "".

    However, it also sounds like it could be such that you click on a link, and it takes you to "", but the address bar itself says "". In such a case (which is an issue other browsers have had in the past), it looks for all intents and purposes to be the correct site, but it is not.

    In that instance, this is a severe problem.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented