Aviv Raff's example of a simple URL redirection trick
that can trump iPhone's Mail application
Apple is arguably getting more proactive about iPhone security exploits. The iPhone OS 2.0 release fixed quite a few bugs, and last month's 2.1 update was no security slouch either. Still, in the face of Apple recruiting full-time iPhone hackers, an Israeli researcher has released details on two potentially dangerous—though seemingly innocuous—design flaws that he says the company has ignored for too long.
Explained on his blog (hat tip to MacNN), Aviv Raff says that two particular behavioral choices—but not necessarily security holes—in iPhone's Mail application can lead to phishing and spamming exploits. The first involves URL redirections due to the unique way Mail displays the actual URL of a linked portion of text. Mail will display the full text of a URL in a message, but a tap-and-hold operation on the URL will truncate its address in a popup tooltip if it's longer than ~24 characters. If a malicious attacker exploits this URL display disparity the right way. According to Raff's example, a URL in a Mail message could read "https://securelogin.facebook.com/reset.php?cc=534a556abd1006&tt=1212620963," but actually link to a page at "http://securelogin.facebook.com.avivraff.com/."
The iPhone's next security problem stems from Mail's affinity for automatically downloading images in most messages unless they are significantly large or there are too many attachments. Most e-mail clients (including Mail on the desktop) offer various safeguards around this behavior, including preferences for downloading images from contacts in an address book or simply requiring all images to be manually downloaded on a per-message basis. Since the iPhone offers no such preferences, an image in a spam message will automatically download, verifying to the spammer that the address is active and ripe for more spam.
Both of these flaws—or perhaps more accurately, "design choices"—would be pretty easy to alter in the name of safety, according to Raff. He told Apple about the exploits months ago (before even iPhone OS 2.0 landed), but even through two subsequent OS updates (2.0.1 and 2.1) the company has simply said it is "working on" the problems. Raff chose to publish these details, as many frustrated researchers do, because of Apple's apparent inaction.
No comments:
Post a Comment