iPhone flaw found

Mail and Safari open to phishing attacks

27 July 2008 16:06 GMT / By Katie Scott

A security expert is claiming that using the iPhone Mail and Safari browser application could leave owners vulnerable to phishing attacks.

Security researcher Aviv Raff has revealed the problem in his blog.

He explains that by creating a specially crafted URL, and sending it via an email, an attacker can convince the user that the spoofed URL, shown in the mail application, is from a trusted domain, such as a bank, PayPal or even a social network.

He adds: "When the iPhone user then clicks on the URL, the Safari browser will be opened".

"The spoofed URL, shown in the address bar of the Safari browser, will still be viewed by the victim as if it is from a trusted domain."

The iPhone user will then be open to phishing attacks as they will enter private information, such as passwords, because they believe they are on the real site and not a fake.

Raff says that iPhone Mail and Safari on firmware 1.1.4 and 2.0 are affected by this vulnerability, but earlier versions may also be affected.

In addition, a security design flaw means the iPhone's Mail application is also spammable, says Raff.

He adds that he is currently withholding the technical details of the vulnerability until a fix is delivered by Apple.

He said Apple has acknowledged the vulnerability in the Mail application, and is still investigating the issue in the Safari for iPhone browser.

In the meantime Raff is advising iPhone users to avoid clicking on links in the Mail application and entering URLs manually instead.