Hmmmm...

Someone hacked service from Apple, and the hack has serious flaws. Sounds like Apple's problem alright!

Umm...

How is this newsworthy? Someone installs some dodgy, non-approved software that rebroadcasts messages sent to it, and it's supposed to be the hardware manufacturer's fault?

Re: Rolh, Blain, Marvin, AC etc

maybe apple users are used to runnning everything under one uid, but back in the real world you can't normally read someone else's messages without their security details. a mere userID shouldn't hack it.

what whining?

I didnt see any whining here. its more "hey look what I found! may want to think twice about this hack". Also not particularly Apples problem but something that they should investigate to see if it can affect other services

interesting comments

What I take from this is that there are a couple of user (choice) applied hacks making a particular product not operate as it should. Does that mean apple should fix it so these hacks work? No. But do the implications of this hack extend beyond device supportability and operability? Of course. If you missed that bit, get off the train before you land in the drivers seat and crash us all.

If ones iphone, as a push client, can send any iphone ID to apple and receive all pushes (or copies of pushes) for that particular iphone ID, then the security implications for anyone using push are pretty blatant.

It amazes me that there are people who profess to be wise enough to understand technology, yet read this article without understanding it (see comments further up).

Wat

There's some very dodgy logic in this comment thread. "It's OK for hackers to be able to eavesdrop on push notifications because they've hacked their phones." is the message I got. I am dissapoint.

Heh

Re Simon Newton

Nail on the head, and of course when Apple fixes it so that you can't spoof ID's and therefore breaks the push hacks again, the comments will be filled with "That why Apple is evilz" comments.

@Simon Newton

You may be right, but the fact that you are missing (or knowingly ignoring) is that the threat is highly mitigated by the fact that the phone--stock, as per manufacturer's specs--won't allow the spoofing to take place.

Perhaps this is why Apple is not contacting this "hacker" in a hurry; at the moment, only those who hack their iPhones are at risk, and so it is not Apple's problem.

I will hazzard a guess that Apple will in time lock down their infrastructure to eliminate this potential risk, but aren't in a rush to do so; nor to acknowledge a theoretical flaw in their system which can only be manifested by those who already circumvented the licensing rules and security mechanisms of the device.

-dZ.

Apple could be nasty here..

..and just deactivate all phones with the 'hack' ID.

This isn't even all phones which are unlocked.. it's phones that haven't been activated on O2 before they were unlocked, so they never got their unique ID . Since apple stores generally don't let you leave the store without activating the phone, that's not going to be a huge percentage of phones.

@Simon Newton

Actually this flaw could be utilised quite easily.

Step 1. Write 'push' app, wait for people to register push on your server.

Step 2. Find a juicy device token

Step 3. Modify your phone to have that token. Install AIM. Wait.

It should be damned near impossible to spoof devices, but it appears to be trivially easy.. which means that something is badly wrong, security wise.

Hack it

So you're telling me that I only need to find out my boss's iPhone's ID and then hack my iPhone to have the same ID then I can secretly receive all the push notifications they my boss gets?

No

If you had your bosses ID he'd still have to have hacked his phone too for this to work