Two iPhone Security Flaws Made Public
Posted on by Peter James
Security researcher Aviv Raff has gone public regarding two iPhone security flaws, more than two months after he contacted Apple about them. As Macworld UK reports, the first bug is that the iPhone’s e-mail application automatically downloads images sent with messages. This can be used by spammers as a means of verifying whether a given address is active; if the image is downloaded, this confirms that the message has been received.
While the first flaw is relatively minor (it may lead to being spammed more often), the second bug is more serious. It involves the way the iPhone displays URLs in e-mails. When messages are displayed in HTML mode, and they contain URLs, users can hover over the URL to see the link behind it; this can help weed out phishing attempts. But on the iPhone, the lack of screen space truncates the link’s URL. “An attacker could create a site with a long subdomain in order to fool a user into thinking it’s a legitimate site. In fact, a website designed to trick a person into revealing personal information, known as a phishing site, Raff said.”
Raff’s blog shows an example of the phishing problem, and how long URLs can lead users to mistake the actual URLs of sites they visit.