URL Spoofing Vulnerability Found In Mail, Safari

Security researcher Aviv Raff claims that the iPhone and iPod touch versions of Mail and Safari are both vulnerable to a URL Spoofing vulnerability that could allow attackers to conduct phishing attacks to iPhone users. According to Raff, a hacker could create a specially crafted URL that, when sent via an email, he could convince came from a trusted domain like a bank, PayPal, a social network, etc. Then, when clicked and opened in Safari, the URL showed in Safari’s URL bar would still appear to the victim that it is from the trusted domain.

He says the exploit works in Mail and Safari on both 1.1.4 and 2.0, and that earlier versions may also be affected. He is currently withholding the technical details of the exploit until Apple releases a patch to fix it.

He also says that the Mail app is “spammable”, which he says Apple has acknowledged as a security issue. He recommends that iPhone users refrain from using the Mail app until a patch is issued for that as well to avoid being spammed.

[via Aviv Raff's site]

View the comments on the forum…