Frustrated researcher details iPhone security bugs

One of the bugs could be used to trick users into clicking on malicious links to deliver spam.

Tired of getting the brush-off from Apple, Israeli researcher Aviv Raff Thursday disclosed technical details about a pair of iPhone security flaws that he first reported more than two months ago.

Raff, best known as a browser vulnerability researcher, told Apple in July that he had uncovered bugs in the iPhone's Mail application as well as in its version of Safari that could be used to trick users into clicking on malicious links and boost the amount of spam they face.

But after Apple continued to defer patching and declined to set a date for fixing the flaws, Raff decided to go public. "Two and a half months later, and still there is no patch for those vulnerabilities," he complained in a post to his blog. "I've asked Apple several times for a schedule, but they have refused to provide the fix date. Three versions (v2.0.1, v2.02, v2.1) have been released since I provided them with the details, and they are still 'working on it.'"

In an interview Thursday, Raff said that while he's used this tactic before to pressure a vendor into patching, he's reserved it for companies that "act irresponsibly, as Apple did this time and other vendors have done other times." Raff said he last contacted Apple a week ago.

Apple last patched the iPhone on September 12, when it issued fixes for eight security vulnerabilities as part of the v2.1 update.

Both Mail and Safari truncate URLs to accommodate the iPhone's small screen, said Raff, a bug that hackers could exploit by feeding malicious links via HTML messages. Because Mail cuts out the middle portion of a long URL, the attacker could spoof a legitimate domain by using a legitimate service such as Facebook to provide the first bits of the address but tuck the malicious part of the URL after the iPhone's cut-off.

Raff demonstrated a possible exploit by creating a link that, at least to an iPhone owner, appeared to be a URL to Facebook's sign-in site, but was actually a link to an image he'd posted on his own domain.

"The user will have to look carefully at all links that he clicks," said Raff when asked for advice on deflecting such attacks. "But this takes a lot of effort as Safari automatically jumps to the end of the URL when clicking on the address bar."

He called the other iPhone bug "a pretty dumb design flaw" that made it easier for spammers to identify valid e-mail accounts, and thus mark them for more spam.

Because the iPhone automatically downloads images attachments, it would be a cinch for spammers to identify a working e-mail account. "The spammer who controls the remote server will know that you have read the message, and will mark your mail account as active, in order to send you more spam," said Raff. Since there is no way to disable auto-image download on the iPhone, he recommended that iPhone users refrain from using Mail until Apple patches the problem.

The same bug has surfaced before in other versions of Apple's Mail software -- the company bundles a much brawnier edition with Mac OS X -- but those versions have long been patched.

Claiming that the flaws were easily fixed, Raff called on Apple to get on the stick. "It's only a matter of time until the bad guys will find these problems," he said.

Raff isn't the first security researcher to knock Apple's patching process. Last month, two other researchers, including Charlie Miller, who is even better known than Raff in the Mac and iPhone vulnerability arena, took Apple to task for dumping several updates on users in a short time, and without warning.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags iPhone

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?