Apple Ignores iPhone Phishing and Spamming Vulnerabilities

Security researcher, Aviv Raff, has discovered two separate security weaknesses that expose iPhone and iPod touch users to phishing and spamming attacks. He reported phishing and spamming vulnerabilities to Apple few weeks before he publicly discussed them on his blog in July. Since then, Apple did nothing.

“Unfortunately, two and a half months later, and still there is no patch for those vulnerabilities. I’ve asked Apple several times for a schedule, but they have refused to provide the fix date,” - explained Raff.

In hope of gaining more attention and pressuring Apple to act more responsibly, Raff has decided to go public with the technical details of above mentioned security problems. In his latest blog post, he explained that email messages in HTML format can trick iPhone users into thinking that fake links are legitimate. The problems is with the tooltip preview feature, which can display only a small part of URL. This flaw allows hackers to “set a long subdomain (~24 characters) that, when cut off in the middle, will look as if it’s a trusted domain.” Clicking this fake link could easily expose victims to serious phishing threats, which could lead to an identity theft.

The spamming vulnerability “is not just a trivial bug, it’s actually a pretty dumb design flaw, which was already fixed by all other mail clients ages ago.” The problem here is with the iPhone E-mail client that automatically downloads all images without even asking users for their approval. The flaw puts iPhone users at risk, because every time they open spam mail, the remote server controlled by spammers flags their account as active, which leads to even more spam.