URL Spoofing Vulnerability Found In Mail, Safari

Edward Kirk · July 24th, 2008, 03:04 PM

Security researcher Aviv Raff claims that the iPhone and iPod touch versions of Mail and Safari are both vulnerable to a URL Spoofing vulnerability that could allow attackers to conduct phishing attacks to iPhone users. According to Raff, a hacker could create a specially crafted URL that, when sent via an email, he could convince came from a trusted domain like a bank, PayPal, a social network, etc. Then, when clicked and opened in Safari, the URL showed in Safari's URL bar would still appear to the victim that it is from the trusted domain.

He says the exploit works in Mail and Safari on both 1.1.4 and 2.0, and that earlier versions may also be affected. He is currently withholding the technical details of the exploit until Apple releases a patch to fix it.

He also says that the Mail app is "spammable", which he says Apple has acknowledged as a security issue. He recommends that iPhone users refrain from using the Mail app until a patch is issued for that as well to avoid being spammed.

[via Aviv Raff's site]

Stephen007 · July 24th, 2008, 03:59 PM #2

What does "the iPhone's Mail application is also "spammable" mean?

Edward Kirk · July 24th, 2008, 04:51 PM #3

Quote:

Originally Posted by Stephen007

What does "the iPhone's Mail application is also "spammable" mean?

To be honest I have no idea, other than maybe it does certain things in ways that make it easy for you to be targeted by spammers. I'll keep looking for info and let you know what I find.

July 24th, 2008, 05:54 PM #4

Quote:

Originally Posted by Edward Kirk

To be honest I have no idea, other than maybe it does certain things in ways that make it easy for you to be targeted by spammers. I'll keep looking for info and let you know what I find.

So he doesnt want me to access my email because I might end up getting spam mail?

Ha ha ha!

I've been getting spam and Nigerian scam emails loooooooooooong before my iPhone came around

**Spam images** - July 26th, 2008, 08:45 PM #5

Well, I for one am concerned that I cannot prevent image loading when I open an email with the Mail app on the iPhone. That strikes me as a "spammable" feature. Sure, most spam is obvious and I can delete it without opening it, but once in a while you get that tricky case that needs to be opened to be sure.

-andres

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Edward Kirk WrAdminterizer Join Date: Apr 2007 Location: Illinois, USA Posts: 3,088 Thanks: 19 Thanked 26 Times in 25 Posts	URL Spoofing Vulnerability Found In Mail, Safari - July 24th, 2008, 03:04 PM #1
	<script language="JavaScript" src="http://adserver1.backbeatmedia.com/servlet/ajrotator/13894/222/viewJScript?pool=13886&type=3158&pos=20&zone=5000"></script> Security researcher Aviv Raff claims that the iPhone and iPod touch versions of Mail and Safari are both vulnerable to a URL Spoofing vulnerability that could allow attackers to conduct phishing attacks to iPhone users. According to Raff, a hacker could create a specially crafted URL that, when sent via an email, he could convince came from a trusted domain like a bank, PayPal, a social network, etc. Then, when clicked and opened in Safari, the URL showed in Safari's URL bar would still appear to the victim that it is from the trusted domain. He says the exploit works in Mail and Safari on both 1.1.4 and 2.0, and that earlier versions may also be affected. He is currently withholding the technical details of the exploit until Apple releases a patch to fix it. He also says that the Mail app is "spammable", which he says Apple has acknowledged as a security issue. He recommends that iPhone users refrain from using the Mail app until a patch is issued for that as well to avoid being spammed. [via Aviv Raff's site] __________________ About my iPhone: iPhone & Color: iPhone 3G 16GB White iPhone Version: 3.0 Computer & OS: MacBook Pro 15", Mac OS X 10.5.4 Twitter

Stephen007 Rocks the Board Join Date: Dec 2007 Location: Milwaukee WI Posts: 347 Thanks: 20 Thanked 3 Times in 3 Posts	July 24th, 2008, 03:59 PM #2
	What does "the iPhone's Mail application is also "spammable" mean?

Andres Susarret Guest Posts: n/a	Spam images - July 26th, 2008, 08:45 PM #5
Andres Susarret Guest Posts: n/a	Well, I for one am concerned that I cannot prevent image loading when I open an email with the Mail app on the iPhone. That strikes me as a "spammable" feature. Sure, most spam is obvious and I can delete it without opening it, but once in a while you get that tricky case that needs to be opened to be sure. -andres