The iPhone's Mail and Safari browser applications are prone to a
URL spoofing vulnerability, which may allow attackers to conduct
phishing attacks against the phone's users.
Security researcher
Aviv Raff has
revealed the vulnerability in his blog. By creating a specially
crafted URL, and sending it via an e-mail, an attacker can convince
the user that the spoofed URL, shown in the mail application, is
from a trusted domain, such as a bank, PayPal or a social
network.
When clicking on the URL, the Safari browser will be opened. The
spoofed URL, shown in the address bar of the Safari browser, will
still be viewed by the victim as if it is from a trusted
domain.
iPhone Mail and Safari on firmware 1.1.4 and 2.0 are affected by
this vulnerability. Earlier versions may also be affected, said
Raff.
Raff is currently withholding the technical details of the
vulnerability until a fix is delivered by Apple.
He said Apple has acknowledged the vulnerability in the Mail
application, and is still investigating the issue in the Safari for
iPhone browser.
Enterprise use of iPhone 3G raises iTunes security concerns
>>
Apple iPhone crack discovered by security researchers
>>