Apple iPhone Vulnerabilities Disclosed - InformationWeek
IoT
IoT
Mobile // Mobile Devices
News
10/2/2008
06:31 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%
RELATED EVENTS
[Dark Reading Crash Course] Finding & Fixing Application Security Vulnerabilitie
Sep 14, 2017
Hear from a top applications security expert as he discusses key practices for scanning and securi ...Read More>>

Apple iPhone Vulnerabilities Disclosed

The first is a URL display flaw in the iPhone's Mail that could allow an attacker to send a message containing a malicious URL that looks legitimate, says one security researcher.

After two and a half months of inaction from Apple, security researcher Aviv Raff on Thursday decided to release information about two iPhone vulnerabilities that he found and brought to the company's attention in July.

The first is a URL display flaw in the iPhone's Mail that could allow an attacker to send a message containing a malicious URL that looks legitimate.

"In most mail clients (e.g., on your PC / Mac), you can just hover the link and get a tooltip which will tell you the actual URL that you are about to click," explains Raff in a blog post. "In iPhone it's a bit different. You need to click the link for a few seconds in order to get the tooltip. Now, because the iPhone screen is small, long URLs are automatically cut off in the middle."

It's possible for an attacker to construct a long URL that displays a trusted domain but actually resolves to another domain entirely, he explains. The victim would only see the portion of the domain designed to look familiar and would be more likely to click on the malicious link.

Opening the URL in the iPhone's Safari browser would not help because it, too, only displays a portion of the long URL.

The iPhone Mail application also is vulnerable because of the way it handles images. Specifically, it automatically downloads images in HTML-formatted messages. Most mail clients provide a way to make the downloading of images require user approval. This protects against spammers, who can tell if an e-mail account is active if a spam recipient opens a message and downloads images.

"This one is not just a trivial bug," said Raff. "It's actually a pretty dumb design flaw, which was already fixed by all other mail clients ages ago."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll