A security expert is advising iPhone users to steer clear of the device's default email application until engineers rework what he calls "a pretty dumb design flaw" that could expose users' email addresses to spammers and other online frauds. The warning comes two and months after researcher Aviv Raff first reported two email- …
Oh, Apple design work so PERFECT AGAIN!
Yes, perfectly crap.
All the Apple Kool Aid Drinkers deserve this weekly sort of stuff. It's a lot like Leprosy. (look it up, stupids)
As a longtime Mac user...
it's a bit unsettling that as time passes I start to agree with Webster in certain aspects. Apple's got interface, ease-of-use, and aesthetic industrial design covered, but they really need to play catch up with bugs, security flaws, and hardware defects.
*sigh* Success breeds carelessness, it would seem.
Can we have a Steve icon with both halo and horns?
The commercials said Apple devices were flawless and that only PC's had vulnerabilities.
I know, this isn't a flaw, it is an intentional design used in an improper manner.
@ Chris Shewchuk
No need to agree with a rabid, pestilence-spreading troll to see that a design flaw is a design flaw. And that's precisely what this is--indeed, even a slightly embarrassing one. That being said, the issue now is when it will be patched--not if, because such a flaw cannot go unpatched. If a year goes by, Apple will deserve strong criticism; if a week goes by, less so.
Paris, because she knows about avoiding rabid, pestilence-spreading trolls.
"... the link appears to point to https://securelogin.facebook.com/reset.php? ..."
No, it appears to point to http://securelogin.facebook.com/reset.php?...
"... the address bar shows only https://securelogin.facebook.com/reset.php?...
Again, it would actually show http://securelogin.facebook.com/reset.php?...
One would expect a tech reporter to know http from https. Of course, one would also expect a software developer to be able to write a proper URI parser. Perhaps one's expectations are too high?
Needs to be fixed urgently
This needs to be fixed urgently so that the 0.01% of users who actually closely look at a link in an email before clicking on it are no longer at risk!
El Reg readers see a URL and can instantly identify all the parts and see something is not right. To Average Joe it looks about as complex as an equation Stephen Hawking might come up with and doesn't even being to try and read it.
You could create an email that looks like it comes from paypal with a link to clickheretoloseallyourmoney.com and the masses would still click it.
Apple deserves criticism just by their lack of transparency when it comes to dealing with flaws.
"rabid, pestilence-spreading troll"
Don't beat around the bush, mush, say what you really mean ;-) Need. a. coffee-proof. keyboard. now. :^)
I disagree with your year though, a couple of months is about the limit for a hole like this.
Paris, so she can sic a pestilence on all rabid trolls.
"If a year goes by, Apple will deserve strong criticism; if a week goes by, less so."
How about over 2 months? Coz that's how long Apple have already had and failed to patch these issues. Even MS are faster than that for simple problems like these.
Users' own faults
That's what y'all get for reading email on your phone. The Bible sez not to do that...
Paris because she's hawt.
@ Steven Knox...
I noticed that too, the "http://" not "https://", and I am no expert! I'm sure a bunch of people would be duped, hopefully not anyone with a modicum of web savvy.
mines the one that made me say.."wtf is this?!"
Hard to see an obvious workaround?
What would we have Apple do for that second problem? Make the URL bar 95% of the screen when browsing a long URL on Safari?
Seriously, I know that sounds flippant, but what actually *could* you do?
I think what's interesting here is that both of these flaws come about from Apple trying to improve the look, feel and convenience of the application. Exactly the problems that MS were rightly criticised for years ago. Have we not moved on?
iPhone, let down by daft user's
There is not a problem with the iPhone luring people to sites like this, only the stupid gullibility of users who blindly go where their led. Use the brain cells you have and protect yourself, don't always pass the buck to others because of your own inability to think.
Think before you click.
Get a Mac, get a good life.
text/plain is the solution
HTML mail is the real culprit but Jobs deserves a good kicking for embracing it so wholeheartedly. AppleMail is okay (not as good as Mr. Carruthers own mailer but that's by the by) but it has never had a "Display mail as text" option and comes with a load of "templates" which suggest that you can reliably style ASCII text.
Apple secret world
I use apple products like the itouch and apple mac laptop, but what gets me is the fact that when someone reports a defect that has the effect to cause major problems then those boys and girls at apple need to to be a little open when it comes to time scales for releasing a fix.
Something like this should have apple putting out some sort of statement saying 'A fix will be released on x date' simple as that.
Simple solution, really
Since web"masters" have managed to make anything-but-msie-html (webpage sends you to a dedicated page if not using msie), how about setting up a standard catch-all that redirects safari-on-iPhone to a dedicated page warning the owner that "you are using iPhone. Since there are several unfixed security bugs with the iPhone, that Apple wants to hide under the carpet, we have been forced to block all access to our site from the iPhone. We will reconsider this policy IF, and only if, Apple manages fix their broken attitude. Until then, feel free to come back using anything but safari."
If sufficent amount of websites include such a message, I have the slight feeling RFC (Rotten Fruit Corp) may consider increasing their speed for security-cleanups to something less glacial.
Mm. Nice, so you can appear to be a 'trusted' website (forgetting any https controls) as long as the trusted website has exactly 24 characters in it. Aviv even needed to make up the domain 'securelogin.facebook.com' to get this to work right - that domain name does not even exist.
I'm an iPhone user, and now really quaking in my boots with this revelation.. Honest gov..
Good but "phishers of men" would have been better.
Mine's the one of many colours worn earlier in the story.
I note that these flaws,
being URL truncation and automatic image downloading are similar to problems that Microsoft had years ago - and fixed years ago - on the Windows platform (and indeed seem to have avoided on Windows Mobile completely), and were vilified loud and long for having. @ Kiminao - this isn't "slightly embarassing", these are bloody GLARING security holes that should never have been allowed to make it into the released product. Funnily enough, the same sort of flaws provoked howls of derision from Apple fans, and anyone daring to say anything like "That being said, the issue now is when it will be patched--not if, because such a flaw cannot go unpatched." would have been vilified as a credulous buffoon. Ah well, how the wheel turns, eh?
Evil Steveil for obvious reasons...
And of course...
This situation isn't helped by Apple refusing to allow apps that compete with theirs in the app store.
Of course if Apple allowed competing software in the iPhone store then this would be less of a problem.
(Disclaimer: I own a Mac.)
Click on the link just to see what was there?
Typical rabid Apple fan much? One year? A MS bug and people criticise, an Apple bug and they are excused to fix it within a year. Double standards me thinks.
This flaw has been out for 2 months now. There is absolutely no excuse for such a thing to exist.
Pretty poor, but why the bile?
Embarrassing nuisance as far as security flaws go. iPhone security seems to be dragging worryingly behind Mac security. As the two are both based on the same code (apparently) you would have thought keeping the necessary updates released in sync would be easier for the developers.
Unless (shock horror!!) Apple are telling a few porkies about the code being the same ;-)
On another note, isn't the "fanboy" bit getting old now? Apple customer base has grown quite a large amount past that core Mac evangelism crowd of the last millennium and even encompasses normal socially functional human beings these days. How about El Reg give it a rest?
Giving it a rest?
"On another note, isn't the "fanboy" bit getting old now? Apple customer base has grown quite a large amount past that core Mac evangelism crowd of the last millennium and even encompasses normal socially functional human beings these days. How about El Reg give it a rest?"
Come on! The Apple community has long been stomping around with a smug sense of superiority every time every little security bug is announced in Windows. There's a long way to go to redress the balance and they are a viable target :-)
Took someone long enough
Thought it was a bit poor having no option to not download external images. You'd have hoped someone at Apple would have noticed the lack of feature and identified it as a high priority issue. No-one else seemed to have identified it either when I spotted it happening and Googled the problem.
Annoying when you see a spam email come in, so ignore it and read the others, delete after reading them and then the email client goes and opens the next one in the list which happens to be the spam one and loads the images. Grr!
It's no big deal. Sure, it should be fixed, but you're just as likely to get stung by clicking on a dodgy email link in Outlook.
The URL truncation 'flaw' I can forgive and as Tony Chandler previously said what are they reasonably going to do with very long addresses on a quite small screen? User awareness (as always) is key to void being duped like this. MacOS, Windows, whatever - there be monsters in them thar links.
The automatic downloading of images in email however, that's quite an impressive dropping of the ball. Spamtastic! Can't imagine that would be too hard to fix though, and if Apple really do want to get these things into wide corporate usage I'm surprised it's taking as long as it has.
Only a problem if you open the message
The email app shows a preview, which is more than often shows the email as being spam.
These security researchers do tend to target Apple, there's almost certainly tons of holes in Windows Mobile purely because the Internet Explorer and Email apps in WM don't get updated like the desktop versions do. Your phone vendor is unlikely to give you a new ROM to fix a security hole and so you're stuck with a compromised phone.
At least with Apple they fix such problems.
Something should really be done about links in emails. It is there for convenience, and is really useful on devices that don't have real keyboard input so typing would be too cumbersome. Would a message box work clarifying the domain solve this? 'You are about to navigate to the domain "securelogin.facebook.com" on HTTPS. Continue?' This could be a standard thing on all email clients, much the same way as not downloading images is (or not).
Companies don't do themselves any favours with the types of links they put in emails either. e.g. http://email1.paypal.co.uk/u.d?PG2ZaAmgKj7fd4Uep=390 . If they want average joe to be able to identify phishing emails, they need to keep it simpler.
You've ignored one problem completely (the one that looks more serious), and totally missed the point of the other. I'm relatively neutral when it comes to Macs, but these are a pair of mistakes that are quite serious and should never have left the test lab - although the URL hiding is almost excusable as other people have said.
The image download issue opens you up to any renderer bugs as well as letting spammers know that your address is valid, read, and has someone with an iPhone at the end of it (agent string sent when collecting the image). All in all, a definite "no-no". I read my mail using a command line text only client most of the time (at home that is, work is enforced as outlook) - and then only open mails in something more "intelligent" if I'm happy that it's safe and it warrants the effort, this approach of "least possible attack vector" is common sense, and all apps should work that way by default.
The URL masking is such that it will completely hide the real URL you're at. Yes, an IT novice (or complete moron, everyone's been hammered to death enough to know about this by now) is as likely to click on an obfuscated link as they are one that has been hidden like this - but for most of the world this is more of an issue. Fixing it is going to be an issue of finding how to show the whole hostname if it's too long. One option would be to have the maximum width for the hostname, and scroll it while it's too long. Not a "nice" solution, but one that would do the job
Of course - no-one should click a link in an email anyway to get to anything "secret", you should open a browser and type the URL in yourself, but we all have "lazy" days.
Re: Hard to see an obvious workaround
"What would we have Apple do for that second problem? Make the URL bar 95% of the screen when browsing a long URL on Safari?"
Keep the space fairly small but auto-scroll the text? It's a little extra work, but surely "displaying the wrong text" is just unforgivable.
Re: Not quite
"One would expect a tech reporter to know http from https."
Meow! Sadly, it doesn't require much in the way of additional "elite hacker" skills to set up a site listening for SSL connections and to send someone a link beginning with https instead of http. Or did they need to spell everything out for you?
"Seriously, I know that sounds flippant, but what actually *could* you do?"
Scroll the text in the URL bar perhaps?
Re: Pretty poor, but why the bile?
This is part of the backlash against smug Apple owners and the whole Mac/PC thing. Long overdue TBH.
Actually it does take a bit more than that. You need a certificate which matches the URL in the address bar. Which needs to be issued by a CA your browser trusts. Or else you'll get certificate errors. Which means you'll need to buy that certificate from one of the major cert providers.
Now walk us through how you're going to persuade verisign to issue a certificate for a url which begins "securelogin.facebook.com" to you will you please? Hmmm?
Solution, @Tony Chandler
It's easy. No need to scroll. Just truncate the subdomain. Always show the TLD and the domain, in boldface, to distinguish it from the rest of the URL.
I've heard that in certain cases you can get wildcard Verisign certificates that will match any subdomain. So if that's true, you could get the certificate and the setup securelogin.facebook.com.yourdomain.com with a valid cert root path.
"Mm. Nice, so you can appear to be a 'trusted' website (forgetting any https controls) as long as the trusted website has exactly 24 characters in it. Aviv even needed to make up the domain 'securelogin.facebook.com' to get this to work right - that domain name does not even exist."
Er yeah, since everybody does a whois when they get a link and we all know all possible subdomains on every site we use? are you for real or just being intentionally stupid?
It works great just as long as the 24 char url is plausible - this vulnerability is a phishers wet dream
sign ofthe times
Apple may have been good when they had a small user base. Bigger user base = bigger diversity = larger chance to be hit by malware.
soon they will be as vulnerable as microsoft...
Mistakes were made...
But not by Apple it would seem. Anyone else read anything about cognitive dissonance? Interesting stuff that helps explain why iPhone owners are on here defending the indefensible.
The URL truncation thing is just piss-poor implementation; Apple should be embarrassed enough by the simplicity of the exploit to have fixed it by now. Want an SSL cert for the entire avivraff.com domain? Simple: http://www.digicert.com/wildcard-ssl-certificates.htm
The solution (as mentioned above) is to display: http://...com.avivraff.com/...reset.php or similar. That can't be too hard now, can it?
NB I'm not on the outside pissing in. I too have an iPhone. So I'm on the inside, but I admit I'm pissing...
Yawn, not the tired old "more users means more vulnerabilities" argument again. If that's true then why aren't there hundreds or thousands of vulnerabilities for the 150 million or so iPods that Apple have sold? Likewise why aren't there any viruses for the tens of millions of Macs out there? There are tens of millions of Linux boxes (desktops, servers and embedded systems) and how many viruses and worms for them?
Isn't it time you educate yourself a bit better about IT security?
WRT this phishing and images-in-email issue Apple really should sort it out, and quickly. While they're fixing the display of the URL they should also make the iPhone check the domain against a blacklist, as other mail clients and browsers do.
Ha! I wish they'd told me at school that this is what it took to be a "security expert".
How can anyone forgive the URL truncation error?
They are not just truncating the complete URL (which is acceptable), they are truncating the hostname portion of the URL in a way that serves no other purpose but to allow their customers to be deceived. IMHO this is very close to criminal negligence. Even more so when they haven't released a fix for it in a timely manner despite the fact that the code change would probably only take 5 seconds (and probably 2-3 days in test).
On the other hand, I tend to view the image download issue as very minor - it really boils down to them forgetting. Yes it's an oversight, but it's one that just about every other email client made in their early versions. The code change to fix this is more complicated and as new functionality more likely to be released as part of a bigger firmware upgrade rather than a small patch.