Experts are raining on the parade of the gadget celebutante of the moment, Apple’s iPhone. This week, at least two reports surfaced claiming to have found vulnerabilities on iPhone that can give way to malicious activities.
The Register described iPhone as a “phisherman’s friend” after a security company reported a possible hole on iPhone’s email client that can expose users to phishing Web sites. iPhone’s email client displays only the the first few characters of a Web link, making it relatively easy to hide the end of fake links.
Another possible hole is how iPhone links its Internet browser and phone functions, which can allow the embedding of scam telephone numbers within Web sites that unsuspecting users may be prompted to dial. eWeek.com also reports this vulnerability citing SPI Labs’ warnings on the use of the Safari browser in dialing telephone numbers via mobile devices. The security company clarifies that the bug they found is not exclusive to iPhone and may be applicable to Treos or Windows Mobile devices but they chose to check iPhone first. Note that a user can dial any phone number displayed on a Web page simply by tapping it on iPhone. An attack like this can be launched from a malicious site, from a legitimate site with XSS, or as part of a malware’s payload.
These reports, however, are just drizzle that can hardly stop iPhone’s march. Real downpour is yet to come.