iPhone Mail Application has Two UI Security Flaws
Tags: Hardware, HTML, mail, phishing, security
The iPhones Mail Application has two security flaws in its user interface that could potentially be harmful to unsuspecting users. Both of these flaws were found by Aviv Raff and are currently published on his blog http://aviv.raffon.net
The first flaw uses HTML in an email to disguise a phishing URL in a link. Here’s the following description from Aviv Raff:
The iPhone’s Mail application can be used to view both HTML and plain text mail messages. When the mail message is in HTML format, the text of links can be set to a different URL than the actual link. In most mail clients (e.g. on your PC / Mac), you can just hover the link and get a tooltip which will tell you the actual URL that you are about to click.
In iPhone it’s a bit different. You need to click the link for a few seconds in order to get the tooltip. Now, because the iPhone screen is small, long URLs are automatically cut off in the middle. So, instead of “hxxp://www.somedomain.com/verylongpath/verylongfilename”, you will get in the tooltip something like “www.somedomain.com/very…ilename”.
The problem here is that an attacker can set a long subdomain (~24 characters) that, when cut off in the middle, will look as if it’s a trusted domain. The following iPhone screenshot shows an example:
In this example, the text of the link is “https://securelogin.facebook.com/reset.php?cc=534a556abd1006&tt=1212620963″, and the actual URL is http://securelogin.facebook.com.avivraff.com/reset.php?cc=534a556abd1006&tt=1212620963. However, when the victim will try to check what is the actual links is, he will see: “securelogin.facebook.com…556abd1006&tt=1212620963″. This will convince the victim that the link is from facebook.com, where it is actually from avivraff.com.
When the victim will click this link, Safari for iPhone will be opened:
As you can seem this would be very easy to re-create and could be dangerous to a lot of users. I don’t know how Apple will figure this one out, but I’m sure there will be a fix. Well Hopefully 
The second flaw is one that has been around for some time now and has actually been fixed in many email clients. But it’s based on the fact that images within an email will load when you open them by default, instead of asking you. Now granted, lets say by mistake you did open a questionable email then this would be something that you would be woried about. Anyways, here’s Aviv Raff description:
This one is not just a trivial bug, it’s actually a pretty dumb design flaw, which was already fixed by all other mail clients ages ago. Whenever you view an HTML mail message which contains images, a request is made to a remote server in order to get the image. Most of the mail clients today requires you to approve the download of the images. This is done for a good reason.
If the images were downloaded automatically, the spammer who controls the remote server will know that you have read the message, and will mark your mail account as active, in order to send you more spam. This “feature” is also known as “Web Bug”
The iPhone’s Mail application downloads all images automatically, and there is NO WAY to disable this feature!
How can you avoid these until Apple fixes them? Well it’s pretty simple, don’t use the Mail application or just make sure that the links you click and the HTML emails that you view are from trusted people or companies.
Read the full aviv.raffon.net article “Happy New Year!”