Touch Podium | Frapstr (The Free App Store Review) | Android Podium | More projects in the works.


Home


Important: iPhone UI Flaws, Be Careful with the Mail.app

by Jody Mitoma on October 6, 2008 at 5:17 pm



Apple has been doing a great job ridding the iPhone and iPod touch of security flaws and the likes, but there is in fact one issue with the Mail.app that can get users to do something they never wished to do.

Here is a direct quote from Ars Technica explaining the flaw:

Explained on his blog (hat tip to MacNN), Aviv Raff says that two particular behavioral choices—but not necessarily security holes—in iPhone’s Mail application can lead to phishing and spamming exploits. The first involves URL redirections due to the unique way Mail displays the actual URL of a linked portion of text. Mail will display the full text of a URL in a message, but a tap-and-hold operation on the URL will truncate its address in a popup tooltip if it’s longer than ~24 characters. If a malicious attacker exploits this URL display disparity the right way. According to Raff’s example, a URL in a Mail message could read “https://securelogin.facebook.com/reset.php?cc=534a556abd1006&tt=1212620963,” but actually link to a page at “http://securelogin.facebook.com.avivraff.com/.”

The iPhone’s next security problem stems from Mail’s affinity for automatically downloading images in most messages unless they are significantly large or there are too many attachments. Most e-mail clients (including Mail on the desktop) offer various safeguards around this behavior, including preferences for downloading images from contacts in an address book or simply requiring all images to be manually downloaded on a per-message basis. Since the iPhone offers no such preferences, an image in a spam message will automatically download, verifying to the spammer that the address is active and ripe for more spam.

Those can be pretty scary flaws which you may want to be careful with, at least until Apple realizes, and hopefully releases a firmware update for. It is probably best to check your e-mail at a desktop computer as often you could until this issue has been dealt with. This issue has been sent to Apple before firmware 2.0 had been released, but even with the releases of 2.0.1 and 2.1, Apple has yet to take any action on the flaw. My only suggestion would be to be careful.

(via Ars Technica)



Related Stories:

  • There are no related stories for this entry.
These icons link to social bookmarking sites where readers can share and discover new web pages.
  • bodytext
  • del.icio.us
  • StumbleUpon
  • Technorati
  • Reddit
  • Slashdot
  • Facebook
Subscribe to The RSS Feed or our Audio Podcast for Live updates!

Category Posted in Important



Leave a Reply