Researcher Aviv Raff has published two iPhone vulnerabilities in his personal blog that can lead to theft of the user's email address by attackers and phishing operations. Both vulnerabilities affect the iPhone Mail program.
The researcher claims to have communicated the two security issues to Apple over two months ago, and to have requested Cupertino a release date for the fixes several times. Apple has not provided the researcher with a precise date, in the meantime has made three firmware updates (2.0.1 – 2.0.2 finally 2.1) without the two vulnerabilities being resolved. For these reasons, Aviv Raff has decided to make his findings public.
Theft of the user's email address Aviv Raff claims that this is a serious and long-standing problem in all major email management programs. When an HTML email message containing an image is read, a request is sent to the remote server to obtain it. Most clients today require user approval for download, while iPhone Mail automatically downloads.
If a spammer, or a program for collecting email addresses, controls the remote server, he can know when the user has read the message, thus marking how he activates our mailbox. This vulnerability known as the Web Bug.
phishing: always in Mail and always reading HTML messages, the Web links contained in the email can refer to URLs other than those displayed in the text. In iPhone, to consult the real link, you need to hold your finger for a couple of seconds but given the size of the display, the longer addresses are truncated. By exploiting this particularity, an attacker could bring up truncated links that look like safe and trusted websites in all respects, while in reality selecting them we would be transported to a different URL. This vulnerability can be exploited for phishing scams.
Aviv Raff explains that for the problem of spamming there is no countermeasure applicable by users, so in fact it does not recommend the use of Mail on the iPhone until the problem is resolved by Apple. As regards the problem of phishing instead, be careful not to use the links in the messages, especially when we have to visit websites and Web pages where we will insert data and personal information. In these cases it is always a good habit to manually type in the desired address or use the Favorites stored in the smartphone.