July 23, 2008 3:06 PM PDT

iPhone vulnerable to phishing attacks

Posted by Robert Vamosi

Security researcher Aviv Raff said on Wednesday that the iPhone's Mail and Safari applications are prone to URL spoofing and could allow phishing attacks against iPhone users.

The alert was anticipated. Prior to the release of the iPhone on July 11, Raff was one of a few security researchers who indicated they had found vulnerabilities but were waiting to see the final iPhone 2.0 release.

By crafting a specially designed URL, Raff says an attacker could create an e-mail link that appears in Mail to be from a trusted site (a financial institution or social network). By clicking the link, Safari will open to the phishing site. The issue affects users of iPhone 1.1.4 and 2.0.

Raff, who has informed Apple of the vulnerability, declined on his blog to offer more details until a patch is available.

Until then, Raff suggests iPhone users "avoid clicking on links in the Mail application which refers to trusted Web sites (e.g. bank, PayPal, social networks, etc.). Instead, a user should enter the URL of the Web site manually in the Safari application."

Topics:

News

Tags:

security,

Apple,

Aviv Raff,

iPhone,

Mail,

Safari

Bookmark:
Digg
Del.icio.us
Reddit
Recent posts from News - Security
Microsoft: Expect four bulletins on Patch Tuesday
Protesters decry NASA hacker's extradition
Chrome suffers first security flaw
Microsoft proposes age-limited digital playgrounds
Microsoft slams Google on privacy
Add a Comment (Log in or register) 16 comments
by ballmerisanape July 23, 2008 3:34 PM PDT
Are any other systems affected? Apple Mail? Outlook? Any mail program that allows "links"?
Reply to this comment
by the_mrwhite July 23, 2008 3:38 PM PDT
This is stupid, any computer and ANY device that can except email and surf's the internet is vulnerable to this. (Blackberry, Treo come to mind) This IS NOT a flaw of the iPhone by any means, only a way for this company to get attention because the iPhone is so popular and in the news a lot lately. Don't be fooled.
Reply to this comment
by yuniverse July 23, 2008 4:13 PM PDT
I agree with mrwhite

This is SO dumb of cnet to host this stupid article.
Any computer or wireless device with email and internet capabilties are vulnerable to this type of phishing attack.
Why put iPhone on the spot light as if it's the only one to have this type of vulnerablity?
Journalism at its worst. Shame on you Cnet
Reply to this comment
by TSkeptic July 23, 2008 5:08 PM PDT
Yawn. Don't click on links in an email... has been a rule of thumb for most of this millennium.... This is yet another take on the extended site verification junk issue that security guys love. This destroys Avivs reputation for integrity. He just wants the publicity.

Well done Aviv. You got some attention! Now - your alerts will fit into the "Boy who cried - Wolf!" category.
Reply to this comment
by ikramerica--2008 July 23, 2008 7:35 PM PDT
There are people who create spoofed emails from banks? Say it isn't so? I don't have an iPhone, but I've seen hundreds of them in my life, mostly addressed to my aol accounts. (.Mac/me.com is very good at blocking these before your iPhone would see them...) Why is this an iPhone specific problem? Because some guy says it is? Does he not live in the world the rest of us do, where you never directly click a link in an email from a "bank," and where your real bank will NEVER ask you to do so! They always tell you to log onto your account on your own. Only scammers provide easy link to banking sites in emails...
Reply to this comment
by ikramerica--2008 July 23, 2008 7:37 PM PDT
Wait, i just had an idea. Maybe a scammer could pretend to send an email from Paypal threatening to close your account. If you don't click the link, you get canceled. Anyone ever try that one? Obviously, the iPhone is the only device that could get an email like that. iPhone users, BEWARE! :)
Reply to this comment
by AppleSuxLeo July 23, 2008 11:27 PM PDT
Mr Apple kiss-a** is in a state of denial. Apple products ARE full of holes...and Jobs the dirt-bag IS dying of pancreatic cancer ! Bwhahahahaha !!!
Reply to this comment View all 2 replies
by AppleSuxLeo July 24, 2008 4:06 AM PDT
Apple = Swiss cheese.
Reply to this comment View all 3 replies
by oneoclock July 24, 2008 7:04 AM PDT
Anybody who believes their bank will send them email deserves to have their accounts raided. Banks don't send email to their customers, they send old fashioned letters using old fashioned paper.
Reply to this comment
by The_Decider July 24, 2008 2:11 PM PDT
Are you kidding me?

Phishing is an attack that uses human stupidity, it is a form of social engineering.

There are no tools to stop stupidity.

Every single browser and email client on the planet is susceptible because people are ignorant,

Yet another CNET writer that doesn't understand tech.
Reply to this comment
by ikramerica--2008 July 24, 2008 3:59 PM PDT
Yes, banks do send emails. They are usually of the alert variety that you set up. Like to let you know if a large withdrawal is made. Never do they send an active link you must use. They even tell you they won't do so, and warn you NOT to ever click one that is sent.

And other emails banks send? Warnings to customers that there are phishers out there and to be careful. :)
Reply to this comment
Powered by Jive Software
advertisement

Latest tech news headlines

Resource center from News.com sponsors
Same great protection. Reengineered for speed.
Norton Internet Security™2008

Click Here!
Norton still delivers award-winning protection and now uses 83% less memory and scans 48% faster than the competitor average. Get a FREE trial today!

Click Here!
Norton Beats the Competition

See how Norton Internet Security™2008 uses less memory, while scanning and booting faster than the competitor average.

Norton Protection Blog

Read the latest from our security experts as they help protect people from evolving online threats.

Protect Your Bluetooth Connection

Don't let fraudsters sink their teeth into your Bluetooth connection.

Vishing - What you need to know

Meet the latest ID theft scam: Voice Phishing.

Take Norton for a Test Drive Today!

Act now to get your FREE trial of Norton Internet Security 2008.

About News - Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

News - Security topics

Featured blogs

advertisement

Inside CNET News

Scroll Left Scroll Right

  • Nanotech: The Circuits Blog

    Timing rumors surface for AMD plant spin-off

    Rumors persist that Advanced Micro Devices is planning to spin off all or part of its manufacturing operations.

  • Gallery

    Photos: Ron Paul's RNC alternative

    As the Republican convention took place just miles away, a crowd rallied for the former presidential candidate and his message of limited government, ensured civil liberties, lower taxes, and peace.

  • Digital Noise: Music and Tech

    Was 1980s music that bad?

    NPR asks listeners which year featured the best music, and the 1980s emerge as a bleak era. Personally, the '80s figure prominently in my collection, but well behind the 1970s.

  • Beyond Binary

    Microsoft begins big ad push

    Microsoft's multi-year push, estimated at $300 million, begins with a spot featuring Bill Gates and Jerry Seinfeld aired during Thursday's NFL game.

  • Video

    YouTube plays party politics

    During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.

  • News - Digital Media

    Michael Moore plans Net-only film premiere

    Filmmaker plans to premiere his latest documentary exclusively on the Internet for free, forgoing the traditional theatrical release.

  • Video

    Political party playlists

    We know the Democrats and Republicans are split over policy issues, but does their musical taste fall down party lines too? And what kind of gadgets did they bring to the conventions to listen to their music? CNET reporter Kara Tsuboi finds out.

  • News - Politics and Law

    What you can--and can't--find about Palin on the Internet

    John McCain's choice of Sarah Palin as a running mate has inspired a wealth of creativity on the Internet.

  • News - Cutting Edge

    Execs predict next Google-like tech

    On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.

  • Gallery

    Photos: The brains behind Google Chrome

    Here's a look at some of the engineers and executives who took the stage at the company's headquarters as they unveiled the new browser.

  • Crossfade

    Ying Yang Twins, 'Look Back At It': Free MP3 of the Day

    This amped-up duo gets the party started with a mix of crisp, Southern hip-hop beats and shout-along rhymes. Download a free MP3 of "Look Back At It" courtesy of CNET Download Music.

  • Green Tech

    Clean-tech group forms to support Obama

    "Clean Tech and Green Business for Obama" aims to raise $1 million for the Democratic presidential nominee while elevating issues of climate change and alternative energy.

News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Dell
PlayStation 3
Wii
Windows Vista
CNET sites
CNET TV
Downloads
Forums
News
Reviews
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET