Major Security Flaw in 2.0.2

greenmymac · 10:05 PM

Admin Edit: User hdm42 appears to be the original source for this flaw discovery.
-----------------

2.0.2 gives almost full access to the iPhone even while under password protection...

Steps to Reproduce

Set iPhone to use passcode lock, have contacts marked as Favorites with links, phone numbers, addresses, etc in address book entry.

Tap "Emergency Call" keypad from passcode entry screen.

Double-tap home button.

Tap blue arrow next to contact's name. You now have full access to applications such as Safari, complete Contacts list, SMS, Maps, "full" Phone access, and Mail by accessing various entries on the Favorite's page, i.e. tapping their home page brings up a full, unrestricted Safari.

rwd hero · Aug 26, 2008, 10:31 PM

WOW! I cant believe Apple would release an update with a security flaw like this. I cant wait for 2.1...

jessica. · 10:51 PM

I refuse to move to 2.02 so I cannot try, but holy ****! I tried it on 2.01 and guess what? It works the same way!

How in the world did you find this? And it is a huge flaw. Did you report it to Apple? I think I'm going to (or at least toss it on Digg so people know), it may be all in vain, but at least it's a start.

SFStateStudent · Aug 26, 2008, 10:47 PM

Wow! Wow! And Wow!

rockinrocker · Aug 26, 2008, 10:58 PM

yeah, that's messed up.

Niiro13 · Aug 26, 2008, 11:00 PM

Oh, DANG! That's so...wow...

See you on the front page

.

mcdj · Aug 26, 2008, 11:10 PM

you *did* send feedback to apple on this, yes?

Sirobin · Aug 26, 2008, 11:12 PM

It doesn't work for me, double tapping just takes me to the iPod screen.

JPIndustrie · Aug 26, 2008, 11:15 PM

This is awesome! SEcret doors!

Can't wait till this is on gizmodo/engadget...etc.

AndroidSUCKS · Aug 26, 2008, 11:18 PM

Quote:

Originally Posted by greenmymac

2.0.2 gives almost full access to the iPhone even while under password protection...

Steps to Reproduce

Set iPhone to use passcode lock, have contacts marked as Favorites with links, phone numbers, addresses, etc in address book entry.

Tap "Emergency Call" keypad from passcode entry screen.

Double-tap home button.

Tap blue arrow next to contact's name. You now have full access to applications such as Safari, complete Contacts list, SMS, Maps, "full" Phone access, and Mail by accessing various entries on the Favorite's page, i.e. tapping their home page brings up a full, unrestricted Safari.

Why don't we find guys like you QA? I doubt anyone in the iPhone QA dept is even capable of doing what you did.

marksman · Aug 26, 2008, 11:19 PM

I tried this and all my iPhone did is say:

"Would you like to play a game?"

ki2594 · Aug 26, 2008, 11:20 PM

Quote:

Originally Posted by marksman

I tried this and all my iPhone did is say:

"Would you like to play a game?"

lmfao wth

Niiro13 · Aug 26, 2008, 11:20 PM

Quote:

Originally Posted by Sirobin

It doesn't work for me, double tapping just takes me to the iPod screen.

You probably have the home button set to iPod.

I just tried it and it works with the iPod setting.

Good thing that if you set double tap to Home that it simply brings you back to the passcode screen.

So it only works if you have it set to Favorites or iPod.

Cynicalone · Aug 26, 2008, 11:21 PM

How did that slip threw

Eric. · Aug 26, 2008, 11:21 PM

Quote:

Originally Posted by Sirobin

It doesn't work for me, double tapping just takes me to the iPod screen.

That should only happen when you are listening to music, unless you have set the double-tap shortcut to be the iPod rather than favorites. If anyone is truly concerned about this all you should have to do is change that shortcut. Is it really worth the trouble? If someone steals your iPhone they aren't going to give it back when they find out that they can't make this security breach.

edit: And tree'd.

mcdj · Aug 26, 2008, 11:23 PM

Quote:

Originally Posted by Cynicalone

How did that slip threw

Same way you typed "threw" when you meant "through".

macduke · Aug 26, 2008, 11:25 PM

Quote:

Originally Posted by greenmymac

2.0.2 gives almost full access to the iPhone even while under password protection...

Dude that is some crazy stuff. You sir, are one crazy hacker. I've never heard of this before on any site. This needs to be sent out to Giz, Engadget, Digg, everyone.

The fix FTW: disable double tapping of home button in Settings > General > Home Button > Checkmark Home and it will kick it back out of the emergency call screen when they double tap. If you don't care about someone listening to your iTunes library, then just select iPod instead or you can leave this setting alone if it's already set, which it was on my iPhone originally.

joekix · Aug 26, 2008, 11:27 PM

Quote:

Originally Posted by mcdj

Same way you typed "threw" when you meant "through".

That was funny.

Eric. · Aug 26, 2008, 11:33 PM

Quote:

Originally Posted by macduke

Dude that is some crazy stuff. You sir, are one crazy hacker. I've never heard of this before on any site. This needs to be sent out to Giz, Engadget, Digg, everyone.

The fix FTW: disable double tapping of home button in Settings > General > Home Button > Checkmark Home and it will kick it back out of the emergency call screen when they double tap. If you don't care about someone listening to your iTunes library, then just select iPod instead or you can leave this setting alone if it's already set, which it was on my iPhone originally.

By default it goes to favorites, at least with my 3G it does...However it does go to the iPod by default if you have it set to do so while playing music.

PoitNarf · Aug 26, 2008, 11:41 PM

Wow, this deserves to be on the front page! Good find.

Cynicalone · Aug 26, 2008, 11:45 PM

Quote:

Originally Posted by mcdj

Same way you typed "threw" when you meant "through".

Ok I laughed at that... an I'm not going to edit it and fix it either.

PoitNarf · Aug 26, 2008, 11:55 PM

Wow, just tried this on my iPhone and can't believe that it actually works. Can't get into Safari since none of my favorite contacts have any webpages associated with them, but it's still scary that anyone would be able to call, email or text message my closest friends and family without having any clue as to what my passcode is.

firstapple · Aug 27, 2008, 12:01 AM

Holy crap! I too just tried this and replicated it just as you said. This is crazy! Apple needs to fix this and fast. I too am going to send a report to Apple regarding this. Very nice catch!

View · Aug 27, 2008, 12:23 AM

Wow, sounds like someone at Apple is about to be yelled at or get fired...
Nothing is perfect, but this is quite unacceptable.
It's not a major problem for me since I don't really use that feature, but I'm sure that shows the unreliability the iPhone has especially for high-level agents that need to secure their information.

Niiro13 · Aug 27, 2008, 12:25 AM

I see 2.0.3 in the horizon.

Aug 26, 2008, 09:02 PM	#1
greenmymac Banned Join Date: Oct 2007 Location: Tulsa, Ok	Major Security Flaw in 2.0.2 Admin Edit: User hdm42 appears to be the original source for this flaw discovery. ----------------- 2.0.2 gives almost full access to the iPhone even while under password protection... Steps to Reproduce Set iPhone to use passcode lock, have contacts marked as Favorites with links, phone numbers, addresses, etc in address book entry. Tap "Emergency Call" keypad from passcode entry screen. Double-tap home button. Tap blue arrow next to contact's name. You now have full access to applications such as Safari, complete Contacts list, SMS, Maps, "full" Phone access, and Mail by accessing various entries on the Favorite's page, i.e. tapping their home page brings up a full, unrestricted Safari. Last edited by arn : Aug 29, 2008 at 10:05 PM.

Aug 26, 2008, 10:44 PM	#3
jessica. macrumors Demi-Goddess Join Date: Feb 2005 Location: NC	I refuse to move to 2.02 so I cannot try, but holy ***! I tried it on 2.01 and guess what? It works the same way! How in the world did you find this? And it is a huge flaw. Did you report it to Apple? I think I'm going to (or at least toss it on Digg so people know), it may be all in vain, but at least it's a start. __________________ persona non grata Last edited by jessica. : Aug 26, 2008 at 10:51 PM.*

Aug 26, 2008, 10:47 PM	#4
SFStateStudent macrumors Demi-God Join Date: Aug 2007 Location: San Francisco California, USA	Wow! Wow! And Wow! __________________ MBP 2.5GHz 250GB Mac Pro 3G S⃣ iPhone 32GB Black

Aug 26, 2008, 10:58 PM	#5
rockinrocker macrumors 6502a Join Date: Aug 2006	yeah, that's messed up. __________________ Mac Pro 2.8 dual quad Macbook Core Duo 16 gig 3G

Aug 26, 2008, 11:10 PM	#7
mcdj macrumors 68020 Join Date: Jul 2007 Location: NYC	you did send feedback to apple on this, yes? __________________ Check out my crappy t-shirts

Aug 26, 2008, 10:31 PM	#2
rwd hero macrumors member Join Date: Aug 2008	WOW! I cant believe Apple would release an update with a security flaw like this. I cant wait for 2.1...

Aug 26, 2008, 11:00 PM	#6
Niiro13 macrumors 68000 Join Date: Feb 2008 Location: Illinois	Oh, DANG! That's so...wow... See you on the front page .

Aug 26, 2008, 11:12 PM	#8
Sirobin macrumors regular Join Date: May 2008 Location: California	It doesn't work for me, double tapping just takes me to the iPod screen. __________________ iMac G3, 233 Mhz, 96 MB RAM, 4 GB HD eMac G4, 700 Mhz, 768 MB RAM, 40 GB HD Powerbook G4, 1.67 Ghz, 2 GB RAM, 120 GB HD Mac Pro, 2.66 Octocore, 6 GB RAM, 4870, 1 TB HDD

Aug 26, 2008, 11:15 PM	#9
JPIndustrie macrumors 6502 Join Date: Mar 2008 Location: Queens, NY	This is awesome! SEcret doors! Can't wait till this is on gizmodo/engadget...etc.

Aug 26, 2008, 11:19 PM	#11
marksman macrumors 65816 Join Date: Jun 2007	I tried this and all my iPhone did is say: "Would you like to play a game?"

Aug 26, 2008, 11:21 PM	#14
Cynicalone macrumors Demi-God Join Date: Jul 2008 Location: Okie land	How did that slip threw

Aug 26, 2008, 11:41 PM	#20
PoitNarf macrumors 65816 Join Date: May 2007 Location: Northern NJ	Wow, this deserves to be on the front page! Good find.

Aug 26, 2008, 11:55 PM	#22
PoitNarf macrumors 65816 Join Date: May 2007 Location: Northern NJ	Wow, just tried this on my iPhone and can't believe that it actually works. Can't get into Safari since none of my favorite contacts have any webpages associated with them, but it's still scary that anyone would be able to call, email or text message my closest friends and family without having any clue as to what my passcode is.

Aug 27, 2008, 12:01 AM	#23
firstapple macrumors 6502a Join Date: Sep 2007	Holy crap! I too just tried this and replicated it just as you said. This is crazy! Apple needs to fix this and fast. I too am going to send a report to Apple regarding this. Very nice catch! __________________ 32 GB iPhone 3G S (Black) 20" Alum iMac 2.4GHz 4GB RAM 320GB HD 13" MacBook Pro 2.26GHz 4GB RAM Canon HV30 \| Nikon D90 Scott Ramsden's Photography!

Aug 27, 2008, 12:23 AM	#24
View macrumors regular Join Date: Apr 2007	Wow, sounds like someone at Apple is about to be yelled at or get fired... Nothing is perfect, but this is quite unacceptable. It's not a major problem for me since I don't really use that feature, but I'm sure that shows the unreliability the iPhone has especially for high-level agents that need to secure their information.

Aug 27, 2008, 12:25 AM	#25
Niiro13 macrumors 68000 Join Date: Feb 2008 Location: Illinois	I see 2.0.3 in the horizon.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode