Flaws in the Mail and Safari applications bundled with the iPhone leave users of the device at greater risk of phishing attacks. A URL-spoofing vulnerability means that a dodgy domain pointed to by a specially crafted URL can appear to be that of a trusted brand when viewed through the iPhone's mail or Safari browser …
Tap & Hold
Here's a tip; if you tap on a link in an e-mail and hold for a second or two, the URL pops up for your delighted perusal.
can somebody please elaborate on this?
I fail to see how a link to a malicious website sent in a mail would be specific to any particular mail client or device?
If a Nigerian scammer sends you mail and asks you to tell them your bank details, how can you blame any device or software if you are stupid enough to do so?
Of course a baby-with-the-bathtub solution would be to block all email that contains a URL. Is that what this "researcher" suggests the iphone is doing wrong?
a permanent solution.
Why don't browsers simply implement this simple solution:
When a block of text is marked as url : use that block of text and not an embedded link. Then there is no more hide and seek .... At least give browsers an option flag to use either the embedded link or the text of the link itself. and an option to display either the original text or directly the attached link when rendering the page.
Gosh, you mean an Apple product is not perfect? Wait... What? Oh, you're on about the iPhone! That explains it then.
Re: Tap & Hold
Yeah, but *if* the vulnerability means that the bad guys can fake the URL that pops up then your tap & hold proceedure is rendered useless.
Of course that's a big if - I've no idea what the specifics of this vulnerability are.
Probably the IDNA vulnerability
Where a domain name in a non-latin character set looks like a different one in English (aka homograph spoofing attack).
There are various fixes for this in most current desktop browsers.
Try http://www.shmoo.com/idn/ on your iPhone and see what it does?
I'm not sure what that shmoo site is trying to tell me?
It comes up with a link saying 'IDN spoofed URL'. You click on that and it comes up with a page saying 'The fake TSG'.
I tried it on firefox and safari and they behave in exactly the same way.
As the fake and 'real' pages have different URLs this to me proves nothing... that links to different pages go to different pages? What am I missing?
Maybe hardware not the weak link. Maybe other thing. BEEP.
Iphone not the problem
I don't why you think this is an issue with the Iphone. The Iphone and all products that Apple make are beyond critism from any mere mortals.
Obviously this is a flaw with the rest of the universe and this need to be changed to ensure that it doesn't impact upon any his Jobiness creations.
PS. Obviously if a similar exploit if found any other operating system then its obvioulsy a major security issue with that system anybody using that system should be struck down by lightning.
Banks don't send email
You can safely ignore and delete any email that purports to come from a bank. Banks don't send email, they send old fashioned letters on old fashioned paper.