Phishing Vulnerability Found in iPhone/Touch Firmware

by Eric March on July 27, 2008 at 1:58 pm

Here’s a good reason for someone to take Apple up on their job offering of a hacker extraordinaire: Expert security researcher Aviv Raff recently revealed in his blog that both the E-Mail and Safari applications in firmware 1.1.4 and 2.0 are susceptible to phishing attacks.

Raff explains that a specially crafted URL could be sent to an iPhone user in E-Mail, which would show up in the E-Mail app as appearing to come from a trusted source. Upon tapping the link and opening Safari, the spoofed URL would still appear to be from a valid, trusted domain, and if the destination URL looks authentic enough, it could lure the less wary into divulging critical personal information about themselves, such as logins and passwords for PayPal, major banks, eBay, and other popular phishing targets.

This is very remeniscent of the URL spoofing exploit that was found in Internet Explorer 6 (and subsequently found to effect early versions of Firebird) almost 5 years ago, where a specially formed URL with the exploit coded in the first half of the URL and the real URL appended on to the end would show up in the URL bar of IE and Mozilla displaying only the real URL at the end, but going to the full URL which would point at a site set up by the phisher.

Although by now most people should already understand that they should not be clicking on URLs received in E-Mails, especially more tech-savvy iPhone users, it bears repeating. If you receive an E-Mail purporting to be from a major institution like a bank, PayPal, or any other organisation claiming to offer you something or making you think there’s a problem with your account that you need to log in to and fix, do not ever click any links contained within the E-Mail, even if you think you trust the source. If there is a problem, log in to your account manually by entering the URL yourself into Safari, or call the institution in question to inqiure about the validity of the E-Mail. If there is a problem, you will know about it, and if you are being offered something, you will know about that, too.

Remember: No reputable company that is in possession of your sensitive personal information and/or that deals with financials will ever ask you for personal information in an E-Mail or provide you a direct link to log in to your account. If there is a problem with your account you will likely be notified of such when you log in, and if it is a serious problem, it is likely worth their time to give you a phone call and discuss it with you personally.

To recap: If you get an E-Mail with a URL in it that appears to lead somewhere that you’ll be required to enter personal information, never, ever click the link in the E-Mail. Do it the manual way. Investigate it yourself. A few extra moments of effort could save your finances, your credit rating, even your entire identity.

Assuming Apple is made aware of this flaw, it is likely we will see a fix for it in a future firmware update (2.1, maybe?) so this will likely become a non-issue soon enough — but for those of you still running 1.1.4, and those currently running 2.0, you should be aware of the flaw and remain vigilant against E-Mails that have even the slightest foul whiff about them.

(via Pocket-Lint)

Related Stories:

• There are no related stories for this entry.

Subscribe to The RSS Feed or our Audio Podcast for Live updates!

Posted in Firmware Related, News Related, iPhone 2.0, iPhone 3G, iPhone Related