Apple's iPhone is vulnerable to exploits that allow an attacker to spoof web pages even when they're protected by the SSL, or secure sockets layer, protocol, a security researcher said. The fault lies in a feature that makes it easy to configure large numbers of iPhones so they meet an organization's IT policies, said Charlie …
iPone (sic) Phish Enabled(tm) Jesus Phone to go along with your Windows XP Espionage Enabled(tm) Computer. Best of both worlds!
and if you walk in front of a bus you get run over ... you still have to be an idiot in both cases.
So this trick...
...requires an SSL certificate issued to a fraudulent company? What exactly are the CAs charging us for?
i think they're called....
expensive ones and zeros
What the CAs are charging you for are the most expensive ones and zeros in the world. Thankfully some of the money derived from their sale is funding the Ubuntu improvements being made to Linux.
Or a PHB
"you still have to be an idiot in both cases"
Or a CEO, CFO or standard member of senior management who is easy to dupe with promises of pr0n or the latest Ferrari pics.
Paris, 'cause thats what the idiots expect to see.
So let's get this right, you have to be tricked into downloading and running a dodgy program that somebody emails you or you download from a pr0n site AND you have to confirm that you want to install it on your iPhone and that's a big security flaw?? Why is this even news?
Just a spoofed e-mail account is needed
Send out an e-mail to all users in a corporation with a line like "Security update for iPhone" and attach the XML, the person will undoubtedly 'install' it since it is signed (Hell you don't even need that part)
So they discussed the hack, the author "claims" it works but conveniently has none of the necessary parts he needs to recreate the hack?
Wow....well I claim that I'm the worlds richest man. I have none of the money needed to backup my claim but you should believe me anyway.
Getting people to clickon links in iPhones is not likley to be that difficult. Various twitter clients truncate URLs into tinyUrl etc etc. You have no idea of the actual destination URL when you click on these. Its fairly common at the moment. So that just leavs the click "ok thing"......
"Its like SPAM only better!"
...and for every clued up Apple Fanboi* there's hundreds** of "it just works" dumbf***s who'd fall for this if it hit them***.
*Most of them.
**Probably thousands, to be honest.
***Which is unlikely, unfortunately >:-}
because the file claims to come from Apple and is 'verified'. Why wouldn't the user install it if it says you can trust it all over the screen? RTFA!
What, you mean just like those browser popups that randomly appear when you visit dodgy web sites saying "Warning: Your system is insecure, click here to install the latest Microsoft security updates" ?
You realize it is the *iPhone* the one doing this? The one that the Mactards insist is flawless, and doesn't have any of those "your system is insecure" malware vectors???
As an even greater insult, the "verified" config comes from Apple Computer, which is easy to register as thanks to Apple ditching its original name: "Apple Computer". If they still had that one, the guy who got the legit SSL cert wouldn't have been able to do so. Of course, this also makes you wonder how would a CA not realize that someone asking for "Apple Computer" might be phishing.
as in here is some magic sauce coming from apple. It's good for you. Steve approved ...
all in unison : baaa baaa
- Geek's Guide to Britain INSIDE GCHQ: Welcome to Cheltenham's cottage industry
- 'Catastrophic failure' of 3D-printed gun in Oz Police test
- Game Theory Is the next-gen console war already One?
- BBC suspends CTO after it wastes £100m on doomed IT system
- Peak Facebook: British users lose their Liking for Zuck's ad empire