14 DAY TRIAL // According to security researcher Aviv Raff, the iPhone's Mail and Safari software applications are vulnerable to URL Spoofing. What this means is that an attacker can exploit said vulnerabilities and conduct a phishing attack on the user. The problem is not a new one, except that Aviv Raff and a handful of other security researchers were waiting to see if the newly launched iPhone 2.0 would have the same security vulnerabilities as previous models.
"By creating a specially crafted URL, and sending it via an email, an attacker can convince the user that the spoofed URL, showed in the mail application, is from a trusted domain (e.g. Bank, PayPal, Social Networks, etc.). When clicking on the URL, the Safari browser will be opened. The spoofed URL, showed in the address bar of the Safari browser, will still be viewed by the victim as if it is of a trusted domain," said Aviv Raff.
This is a security issue with the Mail and Safari applications on iPhone 1.1.4 and 2.0, as well as earlier versions.
Raff has not released to the general public any technical information about the vulnerabilities as he is willing to give the researchers at Apple time to come up with a fix. If you are a security vendor and would like additional information on this matter, he is willing to share it with you as long as you contact him.
What should you, as a user, do in order not to fall victim to a phishing attack? Well, if you receive an e-mail message that asks you to update your security credentials and provides a link, do not click on it. What you should do instead is manually enter the site's URL and access your account, which is pretty much the best thing you can do no matter from where you access the web.
According to Apple, the fact that the iPhone can be spammed as well, not just phished, is a security issue. "This is a basic security design flaw which might already be exploited in-the-wild. iPhone users should consider stop using the Mail application until Apple fixes this issue, unless they want to be spammed," says Aviv Raff.