Apple has confirmed the existence of a flaw in the iOS software underpinning its iPhone, iPad and iPod Touch products which allows for short messaging service (SMS) sender details to be spoofed.
The flaw, which stems from the handling of SMS text messages, allows a sender to manipulate the Reply-To header - making the message appear as though it has come from a different source. Currently being exploited by spammers to mask the origins of their adverts for PPI or personal injury claims, the flaw has more serious potential in allowing attackers to pretend to be a user's bank and request personal details.
According to the anonymous security researcher known as pod2g who discovered the flaw, the issue has existed since the very first version of iOS and continues to be a problem right into the latest beta release of the upcoming iOS 6.0 software update.
Apple, for its part, has admitted that there is an issue and that it is actively investigating the problem. "One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone," the company has explained in a statement to press, "so we urge customers to be extremely careful if they're directed to an unknown Web site or address over SMS.
"When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks", the company added in mitigation.
Despite claiming that it "takes security very seriously", Apple's claims that the problem affects "any phone" are somewhat disingenuous: many phones use the originating number header, which is both present and completely accurate in even spoofed messages, providing some protection against the attack. Apple's handsets, on the other hand, ignore this header in favour of the custom Reply-To header - resulting in a spoofing risk not present on rival devices.
Thus far, Apple has not indicated when - or if - it intends to patch the flaw.
Source : expertreviews
No comments:
Post a Comment