Apple has hit back at claims that its iPhone smartphones are prone to a vulnerability that allows hackers to spoof messages pretending to be from a bank or credit card company.
A security researcher, dubbed "pod2g" said that the vulnerability bypasses Apple's checks on third-party apps.
As the flaw does not execute code, a hacker doesn't need to get malicious code pass Apple, which has final say on all mobile apps that appear on its App Store.
The security researcher said that the bug is so severe; it affects all current versions of iOS including the latest, unreleased version iOS 6 beta 4.
"I am pretty confident that other security researchers already know about this hole, and I fear some pirates as well," the researcher said on their blog.
The problem involves the header of a text message, which comprises of both the originating number of the message and the reply-to number. When the user writes a message, it is converted to PDU (Protocol Description Unit) by the mobile and passed to the baseband for delivery.
In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.
"Most carriers don't check this part of the message, which means one can write whatever he wants in this section, a special number like 911, or the number of somebody else," said Pod2g.
The researcher said that in good implementation of this feature, the receiver would see the original phone number and the reply-to one. "On iPhone, when you see the message, it seems to come from the reply-to number, and you lose track of the origin," said Pod2g.
Apple released a statement and said that it took "security very seriously".
"When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks."
"One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS," it added.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
