If at first you don't succeed; call it version 1.0
Thursday, 02 October 2008

We've just passed the Jewish new year's holiday. Happy new year! It's a custom in this holiday to eat an apple and honey for a sweet new year.

Sadly, this year starts with a little bit sour Apple. If you follow my blog, you probably remember that I wrote about 2 vulnerabilities I've found in Apple's iPhone.

I have disclosed the technical details to Apple few weeks before that post, in a hope to get those security issues fixed as soon as possible. Unfortunately, two and a half months later, and still there is no patch for those vulnerabilities. I've asked Apple several times for a schedule, but they have refused to provide the fix date. Three versions (v2.0.1, v2.02, v2.1) have been released since I provided them with the details, and they are still "working on it". Therefore, I've decided to publicly disclose the technical details.

Both issues are pretty trivial, and can be easily fixed by Apple.


Phishing vulnerability

The iPhone's Mail application can be used to view both HTML and plain text mail messages. When the mail message is in HTML format, the text of links can be set to a different URL than the actual link. In most mail clients (e.g. on your PC / Mac), you can just hover the link and get a tooltip which will tell you the actual URL that you are about to click.

In iPhone it's a bit different. You need to click the link for a few seconds in order to get the tooltip. Now, because the iPhone screen is small, long URLs are automatically cut off in the middle. So, instead of "hxxp://www.somedomain.com/verylongpath/verylongfilename", you will get in the tooltip  something like "www.somedomain.com/very...ilename".

The problem here is that an attacker can set a long subdomain (~24 characters) that, when cut off in the middle, will look as if it's a trusted domain. The following iPhone screenshot shows an example:



In this example, the text of the link is "https://securelogin.facebook.com/reset.php?cc=534a556abd1006&tt=1212620963", and the actual URL is http://securelogin.facebook.com.avivraff.com/reset.php?cc=534a556abd1006&tt=1212620963. However, when the victim will try to check what is the actual links is, he will see: "securelogin.facebook.com...556abd1006&tt=1212620963". This will convince the victim that the link is from facebook.com, where it is actually from avivraff.com.

When the victim will click this link, Safari for iPhone will be opened:


As you can see, the address bar shows: "securelogin.facebook.co...", this will further convince the victim that he is on the right trusted domain. Furthermore, when clicking the address bar, the cursor will jump to the end of the URL. So, in order to view the right domain the user will have to scroll back, which requires a lot of clicks and patience.


Spamming vulnerability

This one is not just a trivial bug, it's actually a pretty dumb design flaw, which was already fixed by all other mail clients ages ago. Whenever you view an HTML mail message which contains images, a request is made to a remote server in order to get the image. Most of the mail clients today requires you to approve the download of the images. This is done for a good reason.

If the images were downloaded automatically, the spammer who controls the remote server will know that you have read the message, and will mark your mail account as active, in order to send you more spam. This "feature" is also known as "Web Bug"

The iPhone's Mail application downloads all images automatically, and there is NO WAY to disable this feature!



As I wrote, there is no workaround for the spamming issue. So, my only suggestion is to avoid using the Mail application until a fix is available.

If you still insist on using it, you should be careful with the links you click, as they might not be from the trusted domain you think they are...

Thursday, 02 October 2008 06:16:33 UTC | Comments [6] | Security#
Thursday, 02 October 2008 20:49:24 UTC
I think you just discovered the Columbus Egg. These are not bugs, these are just usability problems; modern desktop email software doesn't resolve these problems, it just gives user responsibility for them. If user loads images into the message, he's done the wrong thing and given his working email confirmation.
The same for the phishing advice: it's up to the user to check the link he's opening.
Thursday, 02 October 2008 21:43:22 UTC
Phishing is annoying and potentially dangerous to the individual who falls for the scam, but networks and personal computers are not at risk here, as they are with viruses, worms, and adware/malware. Phishing is specifically the presentation of a phony website or page therefrom made to look like a real website, for the purpose of obtaining passwords, credit card numbers, etc.

I repeat: This is NOT a security issue. But some security firms would like to convince you that it belongs under that umbrella because it gives them more to do (and more money to make). The fact is, a browser that doesn't have phishing "protection" is no less safe than one that does.

Responsibility for solving the phishing problem is the same as that for solving spam in general. Like phishing, spam is not a security problem either. Neither has anything to do with the web browser (except as the destination of the scam), but everything to do with the delivery of email. Typically, that's an issue that's the responsibility of your email provider, not a company like Apple.

A final point: Just because a browser has phishing protection doesn't mean you'll ever be safe from phishing. Anyone who thinks it does needs to wonder why we still haven't solved the email spam problem. These kinds of problems, which are NOT security problems, are best solved through email server intervention combined with user education.

Quit trying to make this a problem for companies who build browsers and email software.
Saturday, 04 October 2008 04:37:45 UTC
Hi, I just wanted to sincerely thank you and compliment you for a job VERY WELL DONE! Please keep up the GREAT work. Thanks, Kal
Monday, 06 October 2008 08:36:38 UTC
I agree that these are bugs that should be fixed by apple. However, your 'Web Bug' example can also be triggered by other resources (CSS files, JavaScript) and not just images. Perhaps Apple's mail client shouldn't load any out-of-bound data unless the sender is in the contact's list, which is easy enough to implement.
Tuesday, 07 October 2008 04:25:41 UTC
Raff, the two vulnerabilities that you described are not 'trivial.' They are pretty serious flaws that put millions of users at risk. But Apple is slow to act. Remember Safari Carpet Bombing flaw? Apple waited months to fix it.
Monday, 09 March 2009 16:48:35 UTC
Raff, the above email flaw was one I noticed as soon as I started using the iphone. Another email flaw is the iphone's inability to delete an obvious spam email without first opening it. As one comment said, the issue of Spam is the user's responsibility, or the email provider's responsibility, but eben with some of the best anti-spam capability on the server, some still finds it's way through, even some worms from contacts on your white list can get to your email client (iphone email) if you block everything that is not on your white list. Without the email client ability to preview the email or even delete it outright witout opening it, the attacker's goal can be easily met.

Hopefully Apple will act and include something soon. It's still not there in OS release 2.21, six months after your last post on the topic.
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
Admin Login
Sign In
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.