Thu, 02 Oct 2008 Security researcher reveals iPhone design flaws

Security expert goes public on two iPhone security flaws

Jeremy Kirk

Apple's iPhone has two design flaws that could pose potential security problems, according to a researcher.

The first concerns the iPhone's email application, which automatically downloads images within an e-mail, said Aviv Raff, a security researcher, on Thursday.

That's problematic because the image will refer back to a server-side script when it is downloaded, indicating to the sender that the e-mail has been opened and the e-mail address is valid. The address can then be spammed.

Email applications usually are configured to block images from untrusted sources to prevent the problem, Raff said. He suggests that users avoid using Mail or be wary when clicking on links that come from an untrusted source.

The second design flaw is how the iPhone's email application displays URLs (Uniform Resource Locators). Messages can be shown in plain text or HTML (Hypertext Markup Language). When in HTML mode, a user can get an email where the text of the link is different than the actual link. The true link can be displayed by hovering over the text, and a pop-up window reveals the URL. But the problem is the pop-up window truncates the URL since there isn't enough space on the screen.

An attacker could create a site with a long subdomain in order to fool a user into thinking it's a legitimate site. In fact, a website designed to trick a person into revealing personal information, known as a phishing site, Raff said.

After the bad link is served up in the Safari browser, the user may still only see a fraction of the URL. If the address bar is clicked in mobile Safari, the cursor jumps to the end of the URL, so a person must scroll back to see the URL in its entirety, Raff wrote on his blog.

Neither Apple's mobile Safari nor the desktop version of the browser have a phishing filter.

Raff said he notified Apple more than two months ago about the design flaws. The company told Raff they were working on fixes but hadn't said when those fixes would be released.

Raff said he decided to go public with the information since Apple has since released at least three iPhone updates but hasn't addressed the issues.

"I think they put their own users at much more risk by not fixing this," Raff said in an interview. "At least now the users who read this will know to be careful. It's only a matter of time until the bad guys will find this anyway."

Apple couldn't immediately be reached for comment.

RSS
Digg

Email A Friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Permalink This Article

This articles permalink is:
http://www.macworld.co.uk/ipod-itunes/news/index.cfm?RSS&NewsID=23015

<<prev article | back to news index | next article>>

Question of the day!

Mark Hattersley
Editor in Chief

Do you use Adobe Photoshop with a Wacom tablet?

Question of the day!

Do you use Adobe Photoshop with a Wacom tablet?

% of Macworld readers agree with you

Yes

TBC

How does a Wacom tablet improve the Photoshop experience?

Follow the conversation at @TabletChat

paintings & illustrations, mostly, which i upload to flickr.RT @fragmentedm

I draw manga/anime characters. I also do graphic design and photography.RT @spialelo

Yes. I usually put them up on my #deviantart account for feedback on how to improve.RT @spialelo

Comments received

andrew david said on Thu, 02 Oct 2008

"At least now the users who read this will know to be careful. It's only a matter of time until the bad guys will find this anyway."
AND NOW YOU'VE TOLD THE WHOLE WORLD.
YEAH, CHEERS FOR THAT.
PILLOCKS

Michael Baierl said on Sat, 04 Oct 2008

I also wrote this the support a while ago, but all I heard back was the same reply - "thanks for reporting, we don't confirm anything". Also was with firmware 1. That really sucks if the company does not react on SECURITY ISSUES!

Read more about it here: www.mbaierl.com/blog/2008/10/apples-iphone-security-issues.html

MickJ said on Sun, 05 Oct 2008

Apple are crap at plugging security holes. When you tell them it's almost like they don't wanna hear.

The first real virus for the Mac will wipe out so many machines because of the "head in sand syndrome" adopted by so many. The virus writers have been testing the water so it won't be long.

Zeno said on Sun, 05 Oct 2008

First problem is a request for improvement, there are many web and desktop clients that download all images by default, second one is hilarious. You can view the url in safari when opened.

Apple doesn't act on them as it consideres them low priority. I know I would.

Adam Smith said on Wed, 08 Oct 2008

I was really surprised to see images in my e-mail. This is a well-known security problem. Either Apple doesn't care about security or they have dolts working for them who don't know about this exploit. I believe the former.

Disclaimer
Opinions expressed here are those of the writers and do not reflect those of Macworld. Macworld accepts no responsibility legal or otherwise for their accuracy of content.
Click here to read the house rules.

Click here for the latest reader comments

Latest News

More news...

iPhone 3G S Video Review

Related News

More iPod/iPhone news...

Mac Broadband?

Search news

Search Google

Newsletter signup

It's easy and free to get the latest news headlines, reviews and opinions straight to your email inbox. Sign up NOW to make sure you receive the latest Mac news, reviews and tutorials on your favourite topics.

Latest issue: Ipod User

Find out what's in this month's Macworld here or buy now.

Macworld reader poll

Are you going to buy an Apple iPad?:

View poll results

Have your say in the
Macworld forums!

Register now

Stay on top of the latest, breaking Mac news and chat with other Mac professionals and enthusiasts about the issues that matter to you. Register with Macworld today to join our forums and receive our twice-weekly email newsletter, Macworld Mainline.

RSS

Have the latest content delivered to your desktop via RSS. Use the links below to get access to a specific blog, news, or reviews feed.

Subscribe to our feeds here

Latest PC industry news

MACWORLD MARKETPLACE

	Computer & Laptop At Ciao you can read consumer reviews on a large number of Apple products like iPods, iPhones, Apple laptops and Apple computers. Compare prices of your favourite Apple products today.
	Are you a new customer? Are you doubtful? Try it for free! 4 classic products: try with no risks. 48 hours from now!
	Circus Ponies NoteBook - the easy way to get organized on the Mac NoteBook is the award-winning application that gets you organized. Store notes in electronic notebooks, add text, drag in files, "clip" web pages and other content. Annotate with diagrams, sketches, highlighting, keywords, even voice recordings. Find anything instantly with NoteBook’s patented Multidex^TM. Publish to the web, including MobileMe.
	50% off ebooks It doesn't get much hotter than Mac OS X and iPhone development - visit http://apress.com/mac. Whatever your level, and whatever your background, Apress offers a complete package of books to get you up and developing for iPhone and Mac OS X. Use the exclusive MacWorld coupon code, MACWORLDOC, at Apress.com to receive 50% off your cart.
	Beat the Credit Crunch - Lease your Mac from Hardsoft. Hardsoft are the only 'one stop' solution for the supply and finance of I.T. to businesses throughout the UK via our regional branch offices. We are uniquely both equipment Apple Approved Reseller and licensed Credit Brokers and have tailored a solution which includes a full 3 year warranty and an equipment upgrade every 18 month.