Giveaway: Bracketron Case If outdoor adventures are in your future this summer, enter to win a Bracketron Sport Case with Mount Strap from MacNN and keep that iPhone, iPod or other electronic device safe from the elements.      
toggle

AAPL Stock: 454.74 ( + 1.77 )

http://www.macnn.com/articles/08/07/23/iphone.open.to.phishing/

iPhone has phishing, spamming flaws

updated 05:55 pm EDT, Wed July 23, 2008

 

iPhone open to Phishing?


Security researcher Aviv Raff says the iPhone versions of Mail and Safari are vulnerable to URL spoofing, an exploit that could open the door to phishing attacks. Raff says hackers can e-mail specially-designed URL that links to a site that appears to be legitimate. A user might think it is a trusted site like Pay Pal -- but instead the bogus site steals passwords and other information when the user tries to log on. The maliciously crafted URL is (erroneously) recognized by Safari as a "trusted site."

Until Apple issues a security update, Raff says users should avoid clicking on links to trusted sites within e-mail and instead type in URLs manually. The researcher -- a frequent critic of mainstream OS and browser security -- is witholding details of the exploit until Apple delivers a fix, although information will be available to vendors of security software.

Raff also writes in a blog posting that the iPhone is "spammable," a "basic security design flaw which might already be exploited in the wild." MacNN Forum users have also noted the spam problem, which Raff says Apple has acknowledged.


by MacNN Staff

Post tools:

TAGS :

 security, iPhone apps, Safari, Mail, phishing, spam

Related Articles

Recent Articles

toggle

Comments

  1. WaltFrench

    Fresh-Faced Recruit

    Joined: Jun 2003

    +2
    07/24, 02:12am | report spam | Reply |

    Bad reporting or advice?

    The maliciously crafted URL is (erroneously) recognized by Safari as a "trusted site."

    Odd, the notion of a "trusted site" seems to be a Windows construct. Safari uses certificates and other sources to verify the authenticity of sites, but not this one.

    So while Safari may not warn you that an untrusted site is linking to a trusted site (the bane of my Windows browsing at work because Microsoft's ad server is "trusted," so auto-refresh pages pop up requests every minute or two asking whether it's OK to link), it also does not in any way suggest that a malicious site is "trusted."

    Bad reporting or bad security advice. Which is worse?

  1. jhawk95

    Fresh-Faced Recruit

    Joined: Oct 2006

    +2
    07/24, 08:54am | report spam | Reply |

    This jsut in.....

    We now interrupt this regularly scheduled program to alert you about this item that just came in.....People who click on a link sent to them by a complete stranger via their email (or even a friend for that matter) to connect them to their bank's website might lose all of their money in that account due to fraud / theft!OMG! Are people still that fracking stupid? NEVER click on ANY link to get to a site that you are going to put a password in and that is linked to anything about your financial issues. Even if your REAL bank or someone sends you an email stating your statement is now ready. Close the email and use the link you have book marked or manually type the address to get there.If you do this, you will NEVER have to worry about these so-called scams which only affect lazy netizens.

  1. testudo

    Forum Regular

    Joined: Aug 2001

    +2
    07/24, 09:15am | report spam | Reply |

    Re: bad reporting

    It all depends on what the actual 'exploit' is. The problem is that he is very unclear on how you think it is a trusted site. It may be just that the link looks like "paypal.com" in the email, but when you click on it, it goes to "fred.com".

    However, it also sounds like it could be such that you click on a link, and it takes you to "fred.com", but the address bar itself says "www.paypal.com". In such a case (which is an issue other browsers have had in the past), it looks for all intents and purposes to be the correct site, but it is not.

    In that instance, this is a severe problem.

Login Here

Not a member of the MacNN forums? Register now for free.

 
close
Photo
toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Brother HL-3170CDW LED Printer

We've mentioned before that we are far from a paperless society. For now, at least, there are tasks that require a piece of paper for ...

HTC One

It is hard to understate just how critically important the HTC One is to the Taiwanese company’s fortunes. Despite its alarming declin ...

Samsung Galaxy S 4

Samsung's new flagship Android smartphone, the Galaxy S 4, faces even stiffer competition than its popular predecessor. With a five-in ...

toggle

Most Commented

 

Popular News