back to article iPhone Mail bug adds phishing danger

Flaws in the Mail and Safari applications bundled with the iPhone leave users of the device at greater risk of phishing attacks. A URL-spoofing vulnerability means that a dodgy domain pointed to by a specially crafted URL can appear to be that of a trusted brand when viewed through the iPhone's mail or Safari browser …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Tap & Hold

    Here's a tip; if you tap on a link in an e-mail and hold for a second or two, the URL pops up for your delighted perusal.

  2. Anonymous Coward
    Anonymous Coward

    can somebody please elaborate on this?

    I fail to see how a link to a malicious website sent in a mail would be specific to any particular mail client or device?

    If a Nigerian scammer sends you mail and asks you to tell them your bank details, how can you blame any device or software if you are stupid enough to do so?

    Of course a baby-with-the-bathtub solution would be to block all email that contains a URL. Is that what this "researcher" suggests the iphone is doing wrong?

  3. vincent himpe

    a permanent solution.

    Why don't browsers simply implement this simple solution:

    When a block of text is marked as url : use that block of text and not an embedded link. Then there is no more hide and seek .... At least give browsers an option flag to use either the embedded link or the text of the link itself. and an option to display either the original text or directly the attached link when rendering the page.

  4. Anonymous Coward

    Not perfect???

    Gosh, you mean an Apple product is not perfect? Wait... What? Oh, you're on about the iPhone! That explains it then.

  5. Tim J

    Re: Tap & Hold

    Yeah, but *if* the vulnerability means that the bad guys can fake the URL that pops up then your tap & hold proceedure is rendered useless.

    Of course that's a big if - I've no idea what the specifics of this vulnerability are.

  6. Rich

    Probably the IDNA vulnerability

    Where a domain name in a non-latin character set looks like a different one in English (aka homograph spoofing attack).

    There are various fixes for this in most current desktop browsers.

    Try on your iPhone and see what it does?

  7. Tony Hoyle


    I'm not sure what that shmoo site is trying to tell me?

    It comes up with a link saying 'IDN spoofed URL'. You click on that and it comes up with a page saying 'The fake TSG'.

    I tried it on firefox and safari and they behave in exactly the same way.

    As the fake and 'real' pages have different URLs this to me proves nothing... that links to different pages go to different pages? What am I missing?

  8. Bickus Dickus

    Robot says...

    Maybe hardware not the weak link. Maybe other thing. BEEP.

  9. Anonymous Coward
    Jobs Halo

    Iphone not the problem

    I don't why you think this is an issue with the Iphone. The Iphone and all products that Apple make are beyond critism from any mere mortals.

    Obviously this is a flaw with the rest of the universe and this need to be changed to ensure that it doesn't impact upon any his Jobiness creations.

    PS. Obviously if a similar exploit if found any other operating system then its obvioulsy a major security issue with that system anybody using that system should be struck down by lightning.

  10. Anonymous Coward
    Anonymous Coward

    Banks don't send email

    You can safely ignore and delete any email that purports to come from a bank. Banks don't send email, they send old fashioned letters on old fashioned paper.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021