A new feature found in iPhone OS 3.0 has also created a new security liability, according to a security group member. The exploit is caused by the OS’ automatic opening of Safari when attempting to connect to a network. Remote-exploit.org co-founder Max Moser explains that when the iPhone joins a network, it tries to run a DNS query for apple.com, and open a simple HTML document stored on Apple’s website. If these two things happen without incident, it functions as normal, but in circumstances in which the DNS query is successful but it can’t retrieve the HTML file, it assumes there is a “captive portal”—a hotspot with a login/pay-to-use screen—and automatically opens Safari. When combined with the penetration testing software karmetasploit, this vulnerability could potentially be used to capture iPhone cookies, account information, and possibly more, depending on what other vulnerabilities are found. While this would require a malicious Wi-Fi network to be setup, which might also pose a threat to other devices, the iPhone’s new automatic connect sequence leaves it more vulnerable than most. [via InformationWeek]
Latest News
- Apple AirPods Max silver model now available on Amazon
- Callum Turner and Austin Butler join Apple TV+ ‘Masters of the Air’ cast
- Apple MacArthur Center closing amid mall safety issues
- Apple increasing sign language interpreters in stores
- Protect your iPhone 12 Pro Max with the Speck CandyShell Pro Case, now 36% off
- Apple official magic keyboard with number pad drops $13
- Cast and creators of ‘Ted Lasso’ to join PaleyFest
- Apple Yeouido set to open February 26
- Apple releases new details on App Privacy Labels
- Revamped Equality Act gets a thumbs up from Tim Cook