According to Aviv Raff the iPhone’s mail and safari applications are having big security risks. Both applications are openly available to phishing attacks. The good news is that he didn’t make the exploit publicly available, and he’s not planning to do this before Apple has posted a firmware update that fixes these issues. Hit the break to read all the details.
Summary
The iPhone’s Mail and Safari applications are prone to a URL Spoofing vulnerability, which may allow attackers to conduct phishing attacks against iPhone users.
By creating a specially crafted URL, and sending it via an email, an attacker can convince the user that the spoofed URL, showed in the mail application, is from a trusted domain (e.g. Bank, PayPal, Social Networks, etc.).
When clicking on the URL, the Safari browser will be opened. The spoofed URL, showed in the address bar of the Safari browser, will still be viewed by the victim as if it is of a trusted domain.
Affected versions
iPhone Mail and Safari on firmware 1.1.4 and 2.0 are affected by this vulnerability.
Earlier versions may also be affected.
Technical Details
I’m currently withholding the technical details until a fix will be delivered by Apple. Security vendors who would like to get more information about this vulnerability can contact me.
Solution / Suggestion
Apple have acknowledged the vulnerability in the Mail application, and are still investigating the issue in the Safari for iPhone.
Until a fix is available, I suggest to avoid clicking on links in the Mail application which refers to trusted web sites (e.g. Bank, PayPal, Social Networks, etc.). Instead, a user should enter the URL of the website manually in the Safari application.
As a side note, beside being phishable, the iPhone’s Mail application is also “spammable”. Apple has acknowledged this as a security issue.
This is a basic security design flaw which might already be exploited in-the-wild. iPhone users should consider stop using the Mail application until Apple fixes this issue, unless they want to be spammed.
Again, I’m withholding the technical details until Apple will deliver a patch.
\\ tags: exploit, iPhone, mail, phishing, raff aviv, safari, security risk
July 24th, 2008 at 5:01 pm
OMG.