iPhone vulnerable to phishing attacks

Security researcher Aviv Raff said on Wednesday that the iPhone's Mail and Safari applications are prone to URL spoofing and could allow phishing attacks against iPhone users.

The alert was anticipated. Prior to the release of the iPhone on July 11, Raff was one of a few security researchers who indicated they had found vulnerabilities but were waiting to see the final iPhone 2.0 release.

By crafting a specially designed URL, Raff says an attacker could create an e-mail link that appears in Mail to be from a trusted site (a financial institution or social network). By clicking the link, Safari will open to the phishing site. The issue affects users of iPhone 1.1.4 and 2.0.

Raff, who has informed Apple of the vulnerability, declined on his blog to offer more details until a patch is available.

Until then, Raff suggests iPhone users "avoid clicking on links in the Mail application which refers to trusted Web sites (e.g. bank, PayPal, social networks, etc.). Instead, a user should enter the URL of the Web site manually in the Safari application."

[ballmerisanape]

Are any other systems affected? Apple Mail? Outlook? Any mail program that allows "links"?

[the_mrwhite]

This is stupid, any computer and ANY device that can except email and surf's the internet is vulnerable to this. (Blackberry, Treo come to mind) This IS NOT a flaw of the iPhone by any means, only a way for this company to get attention because the iPhone is so popular and in the news a lot lately. Don't be fooled.

[yuniverse]

I agree with mrwhite

This is SO dumb of cnet to host this stupid article.
Any computer or wireless device with email and internet capabilties are vulnerable to this type of phishing attack.
Why put iPhone on the spot light as if it's the only one to have this type of vulnerablity?
Journalism at its worst. Shame on you Cnet

[TSkeptic]

Yawn. Don't click on links in an email... has been a rule of thumb for most of this millennium.... This is yet another take on the extended site verification junk issue that security guys love. This destroys Avivs reputation for integrity. He just wants the publicity.

Well done Aviv. You got some attention! Now - your alerts will fit into the "Boy who cried - Wolf!" category.

[ikramerica--2008]

There are people who create spoofed emails from banks? Say it isn't so? I don't have an iPhone, but I've seen hundreds of them in my life, mostly addressed to my aol accounts. (.Mac/me.com is very good at blocking these before your iPhone would see them...) Why is this an iPhone specific problem? Because some guy says it is? Does he not live in the world the rest of us do, where you never directly click a link in an email from a "bank," and where your real bank will NEVER ask you to do so! They always tell you to log onto your account on your own. Only scammers provide easy link to banking sites in emails...

[ikramerica--2008]

Wait, i just had an idea. Maybe a scammer could pretend to send an email from Paypal threatening to close your account. If you don't click the link, you get canceled. Anyone ever try that one? Obviously, the iPhone is the only device that could get an email like that. iPhone users, BEWARE! :)

[AppleSuxLeo]

Mr Apple kiss-a** is in a state of denial. Apple products ARE full of holes...and Jobs the dirt-bag IS dying of pancreatic cancer ! Bwhahahahaha !!!

[kevinskrause]

Talk about insensitive. Your ignorance astounds me. How would you feel if you were dying from an extremely deadly cancer and some nobody laughed in your face? Pathetic.

[The_Decider]

Ignore him, he doesn't seem to understand that Windows is vulnerable when it is turn on and connect with no one running anything.

[AppleSuxLeo]

Apple = Swiss cheese.

[ballmerisanape]

The proof is in the pudding. M$ fanboys make me laugh. Drink some more punch.. please.

[The_Decider]

That is funny. Windows has tens of thousands if not more exploits in the wild that work right now. APple has zero.

[ikramerica--2008]

I've been using OSX for 9 years. Not one virus, worm, trojan, etc. Those are tiny, tiny holes. Yes they are there, but so far, so good.

[oneoclock]

Anybody who believes their bank will send them email deserves to have their accounts raided. Banks don't send email to their customers, they send old fashioned letters using old fashioned paper.

[The_Decider]

Are you kidding me?

Phishing is an attack that uses human stupidity, it is a form of social engineering.

There are no tools to stop stupidity.

Every single browser and email client on the planet is susceptible because people are ignorant,

Yet another CNET writer that doesn't understand tech.

[ikramerica--2008]

Yes, banks do send emails. They are usually of the alert variety that you set up. Like to let you know if a large withdrawal is made. Never do they send an active link you must use. They even tell you they won't do so, and warn you NOT to ever click one that is sent.

And other emails banks send? Warnings to customers that there are phishers out there and to be careful. :)