updated 09:50 am EDT, Fri October 3, 2008
Aviv Raff on iPhone bugs
Apple has been neglectful in addressing a pair of bugs in the iPhone's operating system, an Israeli researcher claims. Aviv Raff explains that as early as July he warned Apple about problems in Mail and Safari, each representing a possible security threat. Although three separate firmware updates have since been released for the iPhone 3G, Raff notes that Apple has not bothered to address his concerns, even after continual pressure for a timetable.
As a result, he has decided to publish the details of the iPhone vulnerabilities on his own. The first is based on the manner in which the iPhone truncates URLs; because the iPhone has such a small display, it is necessary to display only part of a URL for many given links. The section being cut off can be critical to determining legitimacy, however, and so it is possible to create plausible URLs which nevertheless take people to dangerous websites. URLs can be examined in Safari, but the OS makes this difficult by jumping to the end of an address.
A problem unique to Mail stems from image attachments. Because there is no option to disable downloading attachments automatically, images can be used to gauge whether an e-mail address is active; once this is verified, a spammer can use the information to direct more messages at a target. Raff comments that both this and the URL bug should be easy to fix, which leads him to wonder why Apple has not done anything sooner.