toggle

AAPL Stock: 112.65 ( + 3.24 )

Printed from http://www.macnn.com

iPhone has phishing, spamming flaws

updated 05:55 pm EDT, Wed July 23, 2008

iPhone open to Phishing?

Security researcher Aviv Raff says the iPhone versions of Mail and Safari are vulnerable to URL spoofing, an exploit that could open the door to phishing attacks. Raff says hackers can e-mail specially-designed URL that links to a site that appears to be legitimate. A user might think it is a trusted site like Pay Pal -- but instead the bogus site steals passwords and other information when the user tries to log on. The maliciously crafted URL is (erroneously) recognized by Safari as a "trusted site."

Until Apple issues a security update, Raff says users should avoid clicking on links to trusted sites within e-mail and instead type in URLs manually. The researcher -- a frequent critic of mainstream OS and browser security -- is witholding details of the exploit until Apple delivers a fix, although information will be available to vendors of security software.

Raff also writes in a blog posting that the iPhone is "spammable," a "basic security design flaw which might already be exploited in the wild." MacNN Forum users have also noted the spam problem, which Raff says Apple has acknowledged.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. WaltFrench

    Joined: Dec 1969

    +2

    Bad reporting or advice?

    The maliciously crafted URL is (erroneously) recognized by Safari as a "trusted site."

    Odd, the notion of a "trusted site" seems to be a Windows construct. Safari uses certificates and other sources to verify the authenticity of sites, but not this one.

    So while Safari may not warn you that an untrusted site is linking to a trusted site (the bane of my Windows browsing at work because Microsoft's ad server is "trusted," so auto-refresh pages pop up requests every minute or two asking whether it's OK to link), it also does not in any way suggest that a malicious site is "trusted."

    Bad reporting or bad security advice. Which is worse?

  1. jhawk95

    Joined: Dec 1969

    +2

    This jsut in.....

    We now interrupt this regularly scheduled program to alert you about this item that just came in.....People who click on a link sent to them by a complete stranger via their email (or even a friend for that matter) to connect them to their bank's website might lose all of their money in that account due to fraud / theft!OMG! Are people still that fracking stupid? NEVER click on ANY link to get to a site that you are going to put a password in and that is linked to anything about your financial issues. Even if your REAL bank or someone sends you an email stating your statement is now ready. Close the email and use the link you have book marked or manually type the address to get there.If you do this, you will NEVER have to worry about these so-called scams which only affect lazy netizens.

  1. testudo

    Joined: Dec 1969

    +2

    Re: bad reporting

    It all depends on what the actual 'exploit' is. The problem is that he is very unclear on how you think it is a trusted site. It may be just that the link looks like "paypal.com" in the email, but when you click on it, it goes to "fred.com".

    However, it also sounds like it could be such that you click on a link, and it takes you to "fred.com", but the address bar itself says "www.paypal.com". In such a case (which is an issue other browsers have had in the past), it looks for all intents and purposes to be the correct site, but it is not.

    In that instance, this is a severe problem.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Dell AD211 Bluetooth speaker

For all of the high-priced, over-engineered Bluetooth speakers in the electronics market, there is still room for mass-market solution ...

VisionTek 128GB USB Pocket SSD

USB flash drives dealt the death blow to both the floppy and Zip drives. While still faster than either of the old removable media, sp ...

Kodak PixPro SL10 Smart Lens Camera

Smartphone imagery still widely varies. Large Megapixel counts don't make for a good image, and the optics in some devices are lackin ...

toggle

Most Commented