Mail App Security Flaws Found

Earlier today, security researcher Aviv Raff publicly revealed two crucial security flaws he had found in the iPhone’s software that affect the iPhone’s Mail app, both of which pose potential security problems. The first is the obvious fact that the Mail app automatically downloads any images within an email. Doing so refers back to the server it came from when it’s downloaded, notifying the sender that it has been opened, proving that the email address is a person that they can send spam to.

The second flaw is in how the Mail app displays URLs. Users have the option of viewing messages in plain text or HTML. When viewing the HTML, however, a viewer can actually receive a link in which the text of the link is not the same as the URL of the link. While the true URL can be viewed by hovering over the link, the preview it shows to do so is truncated to fit on the screen. Because of this, an attacker could create a malicious website with a long sub-domain, effectively disguising it as a link to a legitimate site. They could then trick the user into giving them secure information.

Raff says he has notified Apple of the issues, but decided to go public with them after Apple released three updates since then, neither of which address any of the issues he mentioned.

“I think they put their own users at much more risk by not fixing this,” Raff said in an interview. “At least now the users who read this will know to be careful. It’s only a matter of time until the bad guys will find this anyway.”

[via Macworld UK]

View the comments on the forum…