Security researcher reveals iPhone design flaws
Apple's iPhone has two design flaws that could pose potential security problems, according to a researcher.
The first one concerns the iPhone's e-mail application, which automatically downloads images within an e-mail, said Aviv Raff, a security researcher, on Thursday.
That's problematic because the image will refer back to a server-side script when it is downloaded, indicating to the sender that the e-mail has been opened and the e-mail address is valid. The address can then be spammed.
E-mail applications usually are configured to block images from untrusted sources to prevent the problem, Raff said. He suggests that users avoid using the e-mail application or be careful when clicking on links in an e-mail that comes from an untrusted source.
The second design flaw is how the iPhone's e-mail application displays URLs (Uniform Resource Locators). Messages can be shown in plain text or HTML (Hypertext Markup Language). When in HTML mode, a user can get an e-mail where the text of the link is different than the actual link. The true link can be displayed by hovering over the text, and a pop-up window reveals the URL. But the problem is the pop-up window truncates the URL since there isn't enough space on the screen.
An attacker could create a Web site with a long subdomain in order to fool a user into thinking it's a legitimate site. In fact, a Web site designed to trick a person into revealing personal information, known as a phishing site, Raff said.
After the bad link is served up in the Safari Web browser, the user may still only see a fraction of the URL. If the address bar is clicked in mobile Safari, the cursor jumps to the end of the URL, so a person must scroll back to see the URL in its entirety, Raff wrote on his blog.
Neither Apple's mobile Safari nor the desktop version of the browser have a phishing filter.
Raff said he notified Apple more than two months ago about the design flaws. The company told Raff they were working on fixes but hadn't said when those fixes would be released.
Raff said he decided to go public with the information since Apple has since released at least three iPhone updates but hasn't addressed the issues.
"I think they put their own users at much more risk by not fixing this," Raff said in an interview. "At least now the users who read this will know to be careful. It's only a matter of time until the bad guys will find this anyway."
Apple couldn't immediately be reached for comment.
IDG News Service
Build your tech library with our book giveaways.
Windows PowerShell 2.0 Unleashed
By Tyson Kopczynski, Pete Handley, Marco Shaw; Published by Sams
Windows PowerShell Unleashed will not only give you deep mastery over PowerShell but also a greater understanding of the features being introduced in PowerShell 2.0–and show you how to use it to solve your challenges in your production environment. Enter now!
Ubuntu Server Administration
By Michael Jang; Published by McGraw-Hill Osborne Media
Realize a dynamic, stable, and secure Ubuntu Server environment with expert guidance, tips, and techniques from a Linux professional. Ubuntu Server Administration covers every facet of system management -- from users and file systems to performance tuning and troubleshooting. Enter now!
Thanks for the warning
Thanks for the warning and the clear explanation. It's been 60 days since he warned Apple and I am confident that Apple now has people working on solutions. Perhaps in the "new" Safari already announced for this month.I don't have an iPhone, and am no computer expert. But, like many business and personal users of the web have already been educated not to click on any link or attachment unless from a trusted source.
In this 21st century, unfortunately, the sophistication of our technology and the sophistication of hackers, thieves and other predators is something we all need to be aware. So be prudent and careful, because the wolves are out there.