Home

URL Spoofing Vulnerability Found In Mail, Safari

Submitted by Edward Kirk on July 24, 2008 - 2:04pm.
in

Security researcher Aviv Raff claims that the iPhone and iPod touch versions of Mail and Safari are both vulnerable to a URL Spoofing vulnerability that could allow attackers to conduct phishing attacks to iPhone users. According to Raff, a hacker could create a specially crafted URL that, when sent via an email, he could convince came from a trusted domain like a bank, PayPal, a social network, etc. Then, when clicked and opened in Safari, the URL showed in Safari's URL bar would still appear to the victim that it is from the trusted domain.

He says the exploit works in Mail and Safari on both 1.1.4 and 2.0, and that earlier versions may also be affected. He is currently withholding the technical details of the exploit until Apple releases a patch to fix it.

He also says that the Mail app is "spammable", which he says Apple has acknowledged as a security issue. He recommends that iPhone users refrain from using the Mail app until a patch is issued for that as well to avoid being spammed.

[via Aviv Raff's site]

Submitted by Stephen007 on July 24, 2008 - 2:59pm.
What does "the iPhone's Mail application is also "spammable" mean?

Submitted by Edward Kirk on July 24, 2008 - 3:51pm.
Quote:
Originally Posted by Stephen007 View Post
What does "the iPhone's Mail application is also "spammable" mean?
To be honest I have no idea, other than maybe it does certain things in ways that make it easy for you to be targeted by spammers. I'll keep looking for info and let you know what I find.

Submitted by Terry Time (not verified) on July 24, 2008 - 4:54pm.
Quote:
Originally Posted by Edward Kirk View Post
To be honest I have no idea, other than maybe it does certain things in ways that make it easy for you to be targeted by spammers. I'll keep looking for info and let you know what I find.
So he doesnt want me to access my email because I might end up getting spam mail?

Ha ha ha!

I've been getting spam and Nigerian scam emails loooooooooooong before my iPhone came around

Spam images

Submitted by Andres Susarret (not verified) on July 26, 2008 - 7:45pm.
Well, I for one am concerned that I cannot prevent image loading when I open an email with the Mail app on the iPhone. That strikes me as a "spammable" feature. Sure, most spam is obvious and I can delete it without opening it, but once in a while you get that tricky case that needs to be opened to be sure.

-andres