Feeds

back to article iPhone vulnerable to remote attack on SSL

Apple's iPhone is vulnerable to exploits that allow an attacker to spoof web pages even when they're protected by the SSL, or secure sockets layer, protocol, a security researcher said. The fault lies in a feature that makes it easy to configure large numbers of iPhones so they meet an organization's IT policies, said Charlie …

COMMENTS

This topic is closed for new posts.
WTF?

Damn cool...

iPone (sic) Phish Enabled(tm) Jesus Phone to go along with your Windows XP Espionage Enabled(tm) Computer. Best of both worlds!

0
0
FAIL

Errr...

and if you walk in front of a bus you get run over ... you still have to be an idiot in both cases.

0
0
Stop

So this trick...

...requires an SSL certificate issued to a fraudulent company? What exactly are the CAs charging us for?

0
0
Anonymous Coward

i think they're called....

profits.

0
0
Go

expensive ones and zeros

What the CAs are charging you for are the most expensive ones and zeros in the world. Thankfully some of the money derived from their sale is funding the Ubuntu improvements being made to Linux.

0
0
Paris Hilton

Or a PHB

"you still have to be an idiot in both cases"

Or a CEO, CFO or standard member of senior management who is easy to dupe with promises of pr0n or the latest Ferrari pics.

Paris, 'cause thats what the idiots expect to see.

1
0
Dead Vulture

User permission

So let's get this right, you have to be tricked into downloading and running a dodgy program that somebody emails you or you download from a pr0n site AND you have to confirm that you want to install it on your iPhone and that's a big security flaw?? Why is this even news?

2
2
Bronze badge
FAIL

Just a spoofed e-mail account is needed

Send out an e-mail to all users in a corporation with a line like "Security update for iPhone" and attach the XML, the person will undoubtedly 'install' it since it is signed (Hell you don't even need that part)

0
0
FAIL

Slight failure....

So they discussed the hack, the author "claims" it works but conveniently has none of the necessary parts he needs to recreate the hack?

Wow....well I claim that I'm the worlds richest man. I have none of the money needed to backup my claim but you should believe me anyway.

2
1
Unhappy

Rick Rolling

Getting people to clickon links in iPhones is not likley to be that difficult. Various twitter clients truncate URLs into tinyUrl etc etc. You have no idea of the actual destination URL when you click on these. Its fairly common at the moment. So that just leavs the click "ok thing"......

"Its like SPAM only better!"

1
0
Grenade

and...

...and for every clued up Apple Fanboi* there's hundreds** of "it just works" dumbf***s who'd fall for this if it hit them***.

*Most of them.

**Probably thousands, to be honest.

***Which is unlikely, unfortunately >:-}

0
0
Silver badge
Thumb Down

@Rolf Howarth

because the file claims to come from Apple and is 'verified'. Why wouldn't the user install it if it says you can trust it all over the screen? RTFA!

0
0

@petur

What, you mean just like those browser popups that randomly appear when you visit dodgy web sites saying "Warning: Your system is insecure, click here to install the latest Microsoft security updates" ?

0
0
Silver badge
Boffin

Erm

You realize it is the *iPhone* the one doing this? The one that the Mactards insist is flawless, and doesn't have any of those "your system is insecure" malware vectors???

As an even greater insult, the "verified" config comes from Apple Computer, which is easy to register as thanks to Apple ditching its original name: "Apple Computer". If they still had that one, the guy who got the legit SSL cert wouldn't have been able to do so. Of course, this also makes you wonder how would a CA not realize that someone asking for "Apple Computer" might be phishing.

1
1
Anonymous Coward

Apple Sauce

as in here is some magic sauce coming from apple. It's good for you. Steve approved ...

all in unison : baaa baaa

0
0
This topic is closed for new posts.