Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Major Security Flaw in 2.0.2

aristotle

aristotle

macrumors 68000
Mar 13, 2007
1,768
5
Canada
Holy crap, I don't give a crap because I don't lock my iPhone since I usually keep it on my person.

It's the same thing with you laptop, as soon as someone has physical access to it, you are screwed anyway.
 
Cynicalone

Cynicalone

macrumors 68040
Jul 9, 2008
3,212
0
Okie land
You can really dig into the phone with this, I followed the steps above first then did some exploring. I clicked on a contact in favorites, then clicked on the sms button. Once in sms I backed out of their text log and had access to all my text's. I picked a text I knew had a link in it, that got me to my Safari app. I could surf anywhere I wanted. I picked a contact with an address and had access to Maps and GPS. An email address get's you into mail. I'm sure there is more. Damn talk about dropping the ball.
 
daneoni

daneoni

macrumors G4
Mar 24, 2006
11,598
1,146
That is a big gaping hole, props to the OP for discovering this. I'm not too sure enterprise customers will be happy about this...even average consumers. Full access to a phone thats meant to be secured?
 
L

luigi408

macrumors 6502
Jun 22, 2008
362
114
This is already in the front page of gizmodo.com good job in finding it... I hope they fix it soon!!!
 
E

eduweb

macrumors newbie
Aug 27, 2008
2
0
About security

While we're on the subject of security, has anyone tried accessing the phone data as follows:

- connect phone (while locked) to a new computer and iTunes
- backup iPhone

If iTunes allows to sync the iPhone with the computer without requiring the passcode to unlock the phone, then ALL the data on the phone is backed up to the computer and can easily be accessed by anyone using the computer.

Not in a position to try this out myself, but I think it just might work... iPhone never asks me for the passcode when I connect it to the computer.
 
greenmymac

greenmymac

macrumors 6502a
Original poster
Oct 25, 2007
731
0
Tulsa, Ok
I have sent it off to Apple Feedback, Apple iTunes Support, Apple Mobile Me Support, TUAW, Someone at Apple is bound to see this!
 
P

Pooshka

macrumors 65816
Jun 28, 2008
1,162
1
This "Major Security Flaw" has been there since 1.0

And no one detected it until now???

WOW
 
greenmymac

greenmymac

macrumors 6502a
Original poster
Oct 25, 2007
731
0
Tulsa, Ok
eduweb said:
While we're on the subject of security, has anyone tried accessing the phone data as follows:

- connect phone (while locked) to a new computer and iTunes
- backup iPhone

If iTunes allows to sync the iPhone with the computer without requiring the passcode to unlock the phone, then ALL the data on the phone is backed up to the computer and can easily be accessed by anyone using the computer.

Not in a position to try this out myself, but I think it just might work... iPhone never asks me for the passcode when I connect it to the computer.
Click to expand...

I think all the backup info is encrypted!

Pooshka said:
This "Major Security Flaw" has been there since 1.0

And no one detected it until now???

WOW
Click to expand...

1.0 didn't have the double tap home button option
 
E

eduweb

macrumors newbie
Aug 27, 2008
2
0
greenmymac said:
I think all the backup info is encrypted!
Click to expand...
If it is encrypted, then that's a new feature in 2.0 or iTunes 7 since back when I was in 1.1.3, I could easily access my SMS and calendar from the SQLITE databases that are backed up on my computer. Of course, it takes some time trying to guess which file is which database, but once that trivial task is done, it's very easy to see the data.

Don't have time to check this now, but I still doubt it's encrypted in any way.
 
greenmymac

greenmymac

macrumors 6502a
Original poster
Oct 25, 2007
731
0
Tulsa, Ok
eduweb said:
If it is encrypted, then that's a new feature in 2.0 or iTunes 7 since back when I was in 1.1.3, I coulc easily access my SMS and calendar from the SQLITE databases that are backup up on my computer. Of course, it takes some time trying to guess which file is which database, but once that trivial task is done, it's very easy to see the data.

Don't have time to check this now, but I still doubt it's encrypted in any way.
Click to expand...

I wonder what Apple's problem is... Steve jobs has to be sick cause normally this **** would not fly
 
JML42691

JML42691

macrumors 68020
Oct 24, 2007
2,082
2
Macworld has an article about this now, referencing this thread as to pointing it out:

Macworld Link


And as it states in their article, an Apple spokesperson in London had no knowledge of this flaw, so this very well might be the first that they have heard of it, if so, expect this to be fixed in 2.1, or maybe an unplanned release of 2.0.3 directed only at this problem.
 
mcdj

mcdj

macrumors G3
Jul 10, 2007
8,964
4,214
NYC
Wirelessly posted (iPhone: Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_0_2 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5C1 Safari/525.20)

Pretty ironic, considering all the hoops developers have to jump through to stay within Apple's SDK boundaries, insuring nothing they do compromises the phone. Apple obviously doesn't need any help from devs; the iPhone is perfectly capable of compromising itself.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom