Security Researcher Reveals Two Security Flaws in iPhone's Mail App

November 2009

Disclaimer

Sun	Mon	Tue	Wed	Thu	Fri	Sat
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30

This website is not owned by, is not licensed by nor is a subsidiary of Apple Computer, Inc. Apple iPhone are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. The content of this website is not supplied or reviewed by Apple Computer, Inc. All articles, images, logos and trademarks in this site are property of their respective owners. Please follow this link to read the complete disclaimer.

Security Researcher, Aviv Raff, has revealed two security flaws in iPhone's Mail app. Raff claims that he had notified Apple two months ago about the flaws and Apple had told him they are working on fixing them.

However, since Apple had not addressed the issues in the three iPhone firmware updates that have been released since then, he decided to reveal the information to public.

The first flaw that has been identified by the security researcher in iPhone's mail app is that it automatically downloads the images in an email.

The issue is that the downloaded image will inform the sender that the email has been opened and that the email address is valid which could result in the email address getting spammed.

Most email applications do not download the image automatically from untrusted sources to prevent this problem.

The second security flaw has to do with the way iPhone's mail app displays URLs when viewing them in html mode.

He explains that a user can get an email where the text of the link is different than the actual link. The true link can be seen by hovering over the text, which results in a pop-up window revealing the URL. But the problem is the pop-up window truncates the URL since there isn't enough space on the screen.

As per Raff an attacker could trick an iPhone user by creating a site with a long sub-domain to fool him into thinking it's a legitimate site thus exposing an iPhone user to possible phishing attacks.

However, it is important to note that these security issues are not limited to iPhone's mail app it exists even in the desktop version of Apple's Safari browser and iPhone's Safari browser as they don't have a phishing filter.

Raff claims that he had already informed Apple about these security flaws couple of months back but finally decided to reveal it to public as they have not been fixed has this to say:

"I think they put their own users at much more risk by not fixing this," Raff said in an interview. "At least now the users who read this will know to be careful. It's only a matter of time until the bad guys will find this anyway."

I also think Raff is missing the bigger picture here. Apple has fixed quite a few security issues in iPhone firmware 2.1, and I am sure they will continue to fix them in future versions based on their priority and the time it would take to fix them.

What do you think? Will you stop using iPhone's mail app or Safari browser due to these security flaws? Let us know in the comments.

[via Macworld]

Follow this blog