Jesus Phone vuln delivers fanboys to phishermen A security expert is advising iPhone users to steer clear of the device's default email application until engineers rework what he calls "a pretty dumb design flaw" that could expose users' email addresses to spammers and other online frauds. The warning comes two and months after researcher Aviv Raff first reported two email- …
it's a bit unsettling that as time passes I start to agree with Webster in certain aspects. Apple's got interface, ease-of-use, and aesthetic industrial design covered, but they really need to play catch up with bugs, security flaws, and hardware defects.
*sigh* Success breeds carelessness, it would seem.
Can we have a Steve icon with both halo and horns?
No need to agree with a rabid, pestilence-spreading troll to see that a design flaw is a design flaw. And that's precisely what this is--indeed, even a slightly embarrassing one. That being said, the issue now is when it will be patched--not if, because such a flaw cannot go unpatched. If a year goes by, Apple will deserve strong criticism; if a week goes by, less so.
Paris, because she knows about avoiding rabid, pestilence-spreading trolls.
"... the link appears to point to https://securelogin.facebook.com/reset.php? ..."
No, it appears to point to http://securelogin.facebook.com/reset.php?...
"... the address bar shows only https://securelogin.facebook.com/reset.php?...
Again, it would actually show http://securelogin.facebook.com/reset.php?...
One would expect a tech reporter to know http from https. Of course, one would also expect a software developer to be able to write a proper URI parser. Perhaps one's expectations are too high?
This needs to be fixed urgently so that the 0.01% of users who actually closely look at a link in an email before clicking on it are no longer at risk!
El Reg readers see a URL and can instantly identify all the parts and see something is not right. To Average Joe it looks about as complex as an equation Stephen Hawking might come up with and doesn't even being to try and read it.
You could create an email that looks like it comes from paypal with a link to clickheretoloseallyourmoney.com and the masses would still click it.
"rabid, pestilence-spreading troll"
Don't beat around the bush, mush, say what you really mean ;-) Need. a. coffee-proof. keyboard. now. :^)
I disagree with your year though, a couple of months is about the limit for a hole like this.
Paris, so she can sic a pestilence on all rabid trolls.
There is not a problem with the iPhone luring people to sites like this, only the stupid gullibility of users who blindly go where their led. Use the brain cells you have and protect yourself, don't always pass the buck to others because of your own inability to think.
Think before you click.
Get a Mac, get a good life.
HTML mail is the real culprit but Jobs deserves a good kicking for embracing it so wholeheartedly. AppleMail is okay (not as good as Mr. Carruthers own mailer but that's by the by) but it has never had a "Display mail as text" option and comes with a load of "templates" which suggest that you can reliably style ASCII text.
FCUM!
I use apple products like the itouch and apple mac laptop, but what gets me is the fact that when someone reports a defect that has the effect to cause major problems then those boys and girls at apple need to to be a little open when it comes to time scales for releasing a fix.
Something like this should have apple putting out some sort of statement saying 'A fix will be released on x date' simple as that.
Regards
Bob
Since web"masters" have managed to make anything-but-msie-html (webpage sends you to a dedicated page if not using msie), how about setting up a standard catch-all that redirects safari-on-iPhone to a dedicated page warning the owner that "you are using iPhone. Since there are several unfixed security bugs with the iPhone, that Apple wants to hide under the carpet, we have been forced to block all access to our site from the iPhone. We will reconsider this policy IF, and only if, Apple manages fix their broken attitude. Until then, feel free to come back using anything but safari."
If sufficent amount of websites include such a message, I have the slight feeling RFC (Rotten Fruit Corp) may consider increasing their speed for security-cleanups to something less glacial.
//Svein
Mm. Nice, so you can appear to be a 'trusted' website (forgetting any https controls) as long as the trusted website has exactly 24 characters in it. Aviv even needed to make up the domain 'securelogin.facebook.com' to get this to work right - that domain name does not even exist.
I'm an iPhone user, and now really quaking in my boots with this revelation.. Honest gov..
being URL truncation and automatic image downloading are similar to problems that Microsoft had years ago - and fixed years ago - on the Windows platform (and indeed seem to have avoided on Windows Mobile completely), and were vilified loud and long for having. @ Kiminao - this isn't "slightly embarassing", these are bloody GLARING security holes that should never have been allowed to make it into the released product. Funnily enough, the same sort of flaws provoked howls of derision from Apple fans, and anyone daring to say anything like "That being said, the issue now is when it will be patched--not if, because such a flaw cannot go unpatched." would have been vilified as a credulous buffoon. Ah well, how the wheel turns, eh?
Evil Steveil for obvious reasons...
Embarrassing nuisance as far as security flaws go. iPhone security seems to be dragging worryingly behind Mac security. As the two are both based on the same code (apparently) you would have thought keeping the necessary updates released in sync would be easier for the developers.
Unless (shock horror!!) Apple are telling a few porkies about the code being the same ;-)
On another note, isn't the "fanboy" bit getting old now? Apple customer base has grown quite a large amount past that core Mac evangelism crowd of the last millennium and even encompasses normal socially functional human beings these days. How about El Reg give it a rest?
"On another note, isn't the "fanboy" bit getting old now? Apple customer base has grown quite a large amount past that core Mac evangelism crowd of the last millennium and even encompasses normal socially functional human beings these days. How about El Reg give it a rest?"
Come on! The Apple community has long been stomping around with a smug sense of superiority every time every little security bug is announced in Windows. There's a long way to go to redress the balance and they are a viable target :-)
Thought it was a bit poor having no option to not download external images. You'd have hoped someone at Apple would have noticed the lack of feature and identified it as a high priority issue. No-one else seemed to have identified it either when I spotted it happening and Googled the problem.
Annoying when you see a spam email come in, so ignore it and read the others, delete after reading them and then the email client goes and opens the next one in the list which happens to be the spam one and loads the images. Grr!
The URL truncation 'flaw' I can forgive and as Tony Chandler previously said what are they reasonably going to do with very long addresses on a quite small screen? User awareness (as always) is key to void being duped like this. MacOS, Windows, whatever - there be monsters in them thar links.
The automatic downloading of images in email however, that's quite an impressive dropping of the ball. Spamtastic! Can't imagine that would be too hard to fix though, and if Apple really do want to get these things into wide corporate usage I'm surprised it's taking as long as it has.
Clam
The email app shows a preview, which is more than often shows the email as being spam.
These security researchers do tend to target Apple, there's almost certainly tons of holes in Windows Mobile purely because the Internet Explorer and Email apps in WM don't get updated like the desktop versions do. Your phone vendor is unlikely to give you a new ROM to fix a security hole and so you're stuck with a compromised phone.
At least with Apple they fix such problems.
Something should really be done about links in emails. It is there for convenience, and is really useful on devices that don't have real keyboard input so typing would be too cumbersome. Would a message box work clarifying the domain solve this? 'You are about to navigate to the domain "securelogin.facebook.com" on HTTPS. Continue?' This could be a standard thing on all email clients, much the same way as not downloading images is (or not).
Companies don't do themselves any favours with the types of links they put in emails either. e.g. http://email1.paypal.co.uk/u.d?PG2ZaAmgKj7fd4Uep=390 . If they want average joe to be able to identify phishing emails, they need to keep it simpler.
You've ignored one problem completely (the one that looks more serious), and totally missed the point of the other. I'm relatively neutral when it comes to Macs, but these are a pair of mistakes that are quite serious and should never have left the test lab - although the URL hiding is almost excusable as other people have said.
The image download issue opens you up to any renderer bugs as well as letting spammers know that your address is valid, read, and has someone with an iPhone at the end of it (agent string sent when collecting the image). All in all, a definite "no-no". I read my mail using a command line text only client most of the time (at home that is, work is enforced as outlook) - and then only open mails in something more "intelligent" if I'm happy that it's safe and it warrants the effort, this approach of "least possible attack vector" is common sense, and all apps should work that way by default.
The URL masking is such that it will completely hide the real URL you're at. Yes, an IT novice (or complete moron, everyone's been hammered to death enough to know about this by now) is as likely to click on an obfuscated link as they are one that has been hidden like this - but for most of the world this is more of an issue. Fixing it is going to be an issue of finding how to show the whole hostname if it's too long. One option would be to have the maximum width for the hostname, and scroll it while it's too long. Not a "nice" solution, but one that would do the job
Of course - no-one should click a link in an email anyway to get to anything "secret", you should open a browser and type the URL in yourself, but we all have "lazy" days.
"What would we have Apple do for that second problem? Make the URL bar 95% of the screen when browsing a long URL on Safari?"
Keep the space fairly small but auto-scroll the text? It's a little extra work, but surely "displaying the wrong text" is just unforgivable.
"One would expect a tech reporter to know http from https."
Meow! Sadly, it doesn't require much in the way of additional "elite hacker" skills to set up a site listening for SSL connections and to send someone a link beginning with https instead of http. Or did they need to spell everything out for you?
Actually it does take a bit more than that. You need a certificate which matches the URL in the address bar. Which needs to be issued by a CA your browser trusts. Or else you'll get certificate errors. Which means you'll need to buy that certificate from one of the major cert providers.
Now walk us through how you're going to persuade verisign to issue a certificate for a url which begins "securelogin.facebook.com" to you will you please? Hmmm?
"Mm. Nice, so you can appear to be a 'trusted' website (forgetting any https controls) as long as the trusted website has exactly 24 characters in it. Aviv even needed to make up the domain 'securelogin.facebook.com' to get this to work right - that domain name does not even exist."
Er yeah, since everybody does a whois when they get a link and we all know all possible subdomains on every site we use? are you for real or just being intentionally stupid?
It works great just as long as the 24 char url is plausible - this vulnerability is a phishers wet dream
But not by Apple it would seem. Anyone else read anything about cognitive dissonance? Interesting stuff that helps explain why iPhone owners are on here defending the indefensible.
The URL truncation thing is just piss-poor implementation; Apple should be embarrassed enough by the simplicity of the exploit to have fixed it by now. Want an SSL cert for the entire avivraff.com domain? Simple: http://www.digicert.com/wildcard-ssl-certificates.htm
The solution (as mentioned above) is to display: http://...com.avivraff.com/...reset.php or similar. That can't be too hard now, can it?
NB I'm not on the outside pissing in. I too have an iPhone. So I'm on the inside, but I admit I'm pissing...
Yawn, not the tired old "more users means more vulnerabilities" argument again. If that's true then why aren't there hundreds or thousands of vulnerabilities for the 150 million or so iPods that Apple have sold? Likewise why aren't there any viruses for the tens of millions of Macs out there? There are tens of millions of Linux boxes (desktops, servers and embedded systems) and how many viruses and worms for them?
Isn't it time you educate yourself a bit better about IT security?
WRT this phishing and images-in-email issue Apple really should sort it out, and quickly. While they're fixing the display of the URL they should also make the iPhone check the domain against a blacklist, as other mail clients and browsers do.
How can anyone forgive the URL truncation error?
They are not just truncating the complete URL (which is acceptable), they are truncating the hostname portion of the URL in a way that serves no other purpose but to allow their customers to be deceived. IMHO this is very close to criminal negligence. Even more so when they haven't released a fix for it in a timely manner despite the fact that the code change would probably only take 5 seconds (and probably 2-3 days in test).
On the other hand, I tend to view the image download issue as very minor - it really boils down to them forgetting. Yes it's an oversight, but it's one that just about every other email client made in their early versions. The code change to fix this is more complicated and as new functionality more likely to be released as part of a bigger firmware upgrade rather than a small patch.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
