July 23, 2008 3:06 PM PDT

iPhone vulnerable to phishing attacks

Posted by Robert Vamosi

Security researcher Aviv Raff said on Wednesday that the iPhone's Mail and Safari applications are prone to URL spoofing and could allow phishing attacks against iPhone users.

The alert was anticipated. Prior to the release of the iPhone on July 11, Raff was one of a few security researchers who indicated they had found vulnerabilities but were waiting to see the final iPhone 2.0 release.

By crafting a specially designed URL, Raff says an attacker could create an e-mail link that appears in Mail to be from a trusted site (a financial institution or social network). By clicking the link, Safari will open to the phishing site. The issue affects users of iPhone 1.1.4 and 2.0.

Raff, who has informed Apple of the vulnerability, declined on his blog to offer more details until a patch is available.

Until then, Raff suggests iPhone users "avoid clicking on links in the Mail application which refers to trusted Web sites (e.g. bank, PayPal, social networks, etc.). Instead, a user should enter the URL of the Web site manually in the Safari application."

Topics:

News

Tags:

security,

Apple,

Aviv Raff,

iPhone,

Mail,

Safari

Bookmark:
Digg
Del.icio.us
Reddit
Recent posts from News - Security
Microsoft slams Google on privacy
CSI Stick grabs data from cell phones
Apple to fix hole in password-protected iPhones
Best Western details hack of German hotel
British man to face hacking charges in U.S.
Add a Comment (Log in or register) 16 comments
by ballmerisanape July 23, 2008 3:34 PM PDT
Are any other systems affected? Apple Mail? Outlook? Any mail program that allows "links"?
Reply to this comment
by the_mrwhite July 23, 2008 3:38 PM PDT
This is stupid, any computer and ANY device that can except email and surf's the internet is vulnerable to this. (Blackberry, Treo come to mind) This IS NOT a flaw of the iPhone by any means, only a way for this company to get attention because the iPhone is so popular and in the news a lot lately. Don't be fooled.
Reply to this comment
by yuniverse July 23, 2008 4:13 PM PDT
I agree with mrwhite

This is SO dumb of cnet to host this stupid article.
Any computer or wireless device with email and internet capabilties are vulnerable to this type of phishing attack.
Why put iPhone on the spot light as if it's the only one to have this type of vulnerablity?
Journalism at its worst. Shame on you Cnet
Reply to this comment
by TSkeptic July 23, 2008 5:08 PM PDT
Yawn. Don't click on links in an email... has been a rule of thumb for most of this millennium.... This is yet another take on the extended site verification junk issue that security guys love. This destroys Avivs reputation for integrity. He just wants the publicity.

Well done Aviv. You got some attention! Now - your alerts will fit into the "Boy who cried - Wolf!" category.
Reply to this comment
by ikramerica--2008 July 23, 2008 7:35 PM PDT
There are people who create spoofed emails from banks? Say it isn't so? I don't have an iPhone, but I've seen hundreds of them in my life, mostly addressed to my aol accounts. (.Mac/me.com is very good at blocking these before your iPhone would see them...) Why is this an iPhone specific problem? Because some guy says it is? Does he not live in the world the rest of us do, where you never directly click a link in an email from a "bank," and where your real bank will NEVER ask you to do so! They always tell you to log onto your account on your own. Only scammers provide easy link to banking sites in emails...
Reply to this comment
by ikramerica--2008 July 23, 2008 7:37 PM PDT
Wait, i just had an idea. Maybe a scammer could pretend to send an email from Paypal threatening to close your account. If you don't click the link, you get canceled. Anyone ever try that one? Obviously, the iPhone is the only device that could get an email like that. iPhone users, BEWARE! :)
Reply to this comment
by AppleSuxLeo July 23, 2008 11:27 PM PDT
Mr Apple kiss-a** is in a state of denial. Apple products ARE full of holes...and Jobs the dirt-bag IS dying of pancreatic cancer ! Bwhahahahaha !!!
Reply to this comment View all 2 replies
by AppleSuxLeo July 24, 2008 4:06 AM PDT
Apple = Swiss cheese.
Reply to this comment View all 3 replies
by oneoclock July 24, 2008 7:04 AM PDT
Anybody who believes their bank will send them email deserves to have their accounts raided. Banks don't send email to their customers, they send old fashioned letters using old fashioned paper.
Reply to this comment
by The_Decider July 24, 2008 2:11 PM PDT
Are you kidding me?

Phishing is an attack that uses human stupidity, it is a form of social engineering.

There are no tools to stop stupidity.

Every single browser and email client on the planet is susceptible because people are ignorant,

Yet another CNET writer that doesn't understand tech.
Reply to this comment
by ikramerica--2008 July 24, 2008 3:59 PM PDT
Yes, banks do send emails. They are usually of the alert variety that you set up. Like to let you know if a large withdrawal is made. Never do they send an active link you must use. They even tell you they won't do so, and warn you NOT to ever click one that is sent.

And other emails banks send? Warnings to customers that there are phishers out there and to be careful. :)
Reply to this comment
Powered by Jive Software
advertisement

About News - Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

News - Security topics

Latest tech news headlines

Featured blogs

Resource center from News.com sponsors
Same great protection. Reengineered for speed.
Norton Internet Security™2008

Click Here!
Norton still delivers award-winning protection and now uses 83% less memory and scans 48% faster than the competitor average. Get a FREE trial today!

Click Here!
Norton Beats the Competition

See how Norton Internet Security™2008 uses less memory, while scanning and booting faster than the competitor average.

Norton Protection Blog

Read the latest from our security experts as they help protect people from evolving online threats.

Protect Your Bluetooth Connection

Don't let fraudsters sink their teeth into your Bluetooth connection.

Vishing - What you need to know

Meet the latest ID theft scam: Voice Phishing.

Take Norton for a Test Drive Today!

Act now to get your FREE trial of Norton Internet Security 2008.

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Dell
PlayStation 3
Wii
Windows Vista
CNET sites
CNET TV
Downloads
Forums
News
Reviews
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET