Raff Discloses Flaws Related To iPhone
On Thursday, two security flaws in iPhone were disclosed by Security Researcher Aviv Raff that could help the attackers to trick the users into unknowingly surfing to unwanted destinations.
Back in July, Raff had tried to bring these flaws in the attention of Apple, but since company did not address them with patches, he was left with no choice but to disclose these flaws publicly.
The first flaw that exists in the iPhone is in its Mail application and its Safari web browser that leads to shortening parts of long URLs when they're displayed. This can let the disguising of malicious URLs by the attackers without even giving the chance to the users to view them.
According to Raff, “In most mail clients... you can just hover [over] the link and get a tooltip [showing] you the actual URL that you are about to click. In iPhone it's a bit different. You need to click the link for a few seconds in order to get the tooltip. Now, because the iPhone screen is small, long URLs are automatically cut off in the middle.”
He informed that it is quite possible for a hacker to create a long URL beginning with an authentic domain but which actually paths to an entirely unknown and different location. The users easily get tricked into clicking a malicious link, since they would only see a familiar-looking part of the domain name.
“iPhone Mail is also vulnerable because it automatically downloads images linked in HTML-formatted emails,” added Raff.
The users are allowed in most email client software to make downloading of images require approval in each assistance. The users are protected against spammers by seeting this option since if the recipient opens a spam email and downloads images, spammers comes to know about their reaching an active email account.
Raff informed, “This one is not just a trivial bug. It's actually a pretty dumb design flaw, which was already fixed by all other mail clients’ ages ago.”