iPhone Mail and Safari bug helps phishing attacks

Stephen Withers
Friday, 25 July 2008 02:51

Your IT - Mobility

An unpatched vulnerability in the iPhone's Mail and Safari applications helps conceal phishing attacks, according to a high profile security researcher who specialises in finding flaws in widely used software. Aviv Raff has previously identified security flaws in software from Apple, Microsoft, Google and other vendors.

Raff's latest finding is especially pernicious, as the bogus URL appears to be that of the real site even when the link is opened in Safari.

Here's how he describes the flaw, which exists in versions 1.1.4 and 2.0 of the iPhone's software:

"By creating a specially crafted URL, and sending it via an email, an attacker can convince the user that the spoofed URL, showed in the mail application, is from a trusted domain (e.g. Bank, PayPal, Social Networks, etc.).

"When clicking on the URL, the Safari browser will be opened. The spoofed URL, showed in the address bar of the Safari browser, will still be viewed by the victim as if it is of a trusted domain."

Nasty. Even if you're already aware of the risks posed by phishing and examine URLs very carefully, it sounds as if this trick passes close inspection.

Raff's suggestion - echoing 'standing orders' from most financial institutions - is that you shouldn't click on links from emails to trusted sites. Entering the address manually each time is tedious, but safer.

He also asserts that "a basic security design flaw" in iPhone's Mail application makes it "spammable".

What might that mean? Please read on.