Security researcher Aviv Raff has gone public on a pair of security vulnerabilities within the iPhone that he first warned Apple about months ago.

The researcher says he decided to publicise the workings of these security flaws on his blog because Apple has released at least three iPhone software updates since he informed the company of the flaws, and has made no move to patch the mobile system against the vulnerabilities. He let the company know about these problems way back in July.

The vulnerabilities are within Mail.

Mail automatically downloads images – images which could be compromised, and when they are downloaded, the image URL checks back with its source, enabling spammers to harvest an email address. 

Fault two concerns Mail’s handling of URL’s.

"The iPhone’s Mail application can be used to view both HTML and plain text mail messages. When the mail message is in HTML format, the text of links can be set to a different URL than the actual link. In most mail clients (e.g. on your PC / Mac), you can just hover the link and get a tooltip which will tell you the actual URL that you are about to click," the researcher explains.

Because an iPhone user who clicks on the link may only get to see the beginning part of the link, an attacker can, "set a long subdomain (~24 characters) that, when cut off in the middle, will look as if it’s a trusted domain." Effectively leaving an iPhone user at risk of a phishing attack in situations in which the shortened link pretends to be a trusted site, such as Amazon.

Best advice, of course, is not to click on links when you are preparing to hand over personal info – type URL’s in manually for this, and don’t open images from people you don’t trust. 

On his move to publicise these problems, the researcher said, "I have disclosed the technical details to Apple few weeks before that post, in a hope to get those security issues fixed as soon as possible. Unfortunately, two and a half months later, and still there is no patch for those vulnerabilities. I’ve asked Apple several times for a schedule, but they have refused to provide the fix date."

About the Author