Skip to main content

Apple's iPhone Still Has Two Serious Vulnearbilities Says Security Researcher

Aviv Raffis a (very) smart guy and when back in July, he informed Apple of two serious security flaws that affected the iPhone, he did the right thing, expecting the Cupertino company to act swiftly to close the vulnerabilities.

Sad to say that nearly three months afterwards,Apple (opens in new tab)has yet to act on the data that Raff provided to them. He wrote on his blog that he has "disclosed the technical details to Apple few weeks before that post, in a hope to get those security issues fixed as soon as possible. Unfortunately, two and a half months later, and still there is no patch for those vulnerabilities."

Adding that he asked Apple several times for a schedule, but "they have refused to provide the fix date". He continued "Three versions (v2.0.1, v2.02, v2.1) have been released since I provided them with the details, and they are still "working on it". Therefore, I've decided to publicly disclose the technical details. Both issues are pretty trivial, and can be easily fixed by Apple."

What does that mean? The two vulnerabilities can lead to more phishing and spamming and now that Aviv has decided to go public with them, iPhone owners can expect to become the targets of "social engineering" experts.

The Phishing vulnerability is potentially the more damaging o ne since ti would allow phishing URLs to be implemented in URLs quite easily by using long subdomains (more than 24 characters).

The second one has to do with the fact that Apple's mail application automatically downloads images, a "feature" that cannot be disabled. Obviously, spammers would certainly like this as it confirms that an email inbox is active.

Désiré Athow
Contributor

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Following an eight-year stint at ITProPortal.com where he discovered the joys of global tech-fests, Désiré now heads up TechRadar Pro. Previously he was a freelance technology journalist at Incisive Media, Breakthrough Publishing and Vnunet, and Business Magazine. He also launched and hosted the first Tech Radio Show on Radio Plus.