RIM Patches BlackBerry Phishing Flaw

The vulnerability can make the smartphone think a malicious Web site is a trusted one.

Marin Perez, Contributor

October 1, 2009

2 Min Read

Research In Motion issued a security patch that fixes a vulnerability that potentially leaves BlackBerry users open to phishing attacks.

The flaw enables a malicious coder to trick BlackBerry users into visiting a potentially malicious Web site by making the device think the site is a trusted one. To exploit this, attackers would need to create a site that uses null characters in the certificate's Common Name field. The device detects the mismatch between the domain name and the certificate, but the warning screen doesn't display the hidden character, making the user think the site is trusted.

"The updated BlackBerry device software is designed to depict null characters in the BlackBerry browser dialog box that appears when the user visits a Web site with a certificate that does not match the site domain name," RIM said in a security note. "In the updated BlackBerry device software, the BlackBerry device represents previously hidden null characters with a block, and highlights the non-matching portion of the domain name in bold."

The security flaw was brought to RIM's attention by Mobile Security Labs and CESG, and it impacts various BlackBerry models with the 4.5 version of the operating system or later. Individual users and BlackBerry Enterprise Software managers can check for updates from RIM's Web site, and the company advises BlackBerry users to exercise caution when clicking on links they receive from SMS messages or e-mail.

The mobile platforms have not been a major target of malicious coders, particularly because the wide variety of operating systems makes mobile devices a harder target than Windows desktop machines. But as more users carry sensitive data on their handsets, most industry experts speculate it will only be a matter of time before a widespread mobile virus emerges.

InformationWeek has published an in-depth report on smartphone security. Download the report here (registration required).

Read more about:


About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights