Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > iPhone, iPod and iPad > iPhone

Reply
 
Thread Tools Search this Thread Display Modes
Old Aug 26, 2008, 08:02 PM   #1
greenmymac
Banned
 
Join Date: Oct 2007
Location: Tulsa, Ok
Send a message via ICQ to greenmymac Send a message via AIM to greenmymac Send a message via MSN to greenmymac Send a message via Yahoo to greenmymac Send a message via Skype™ to greenmymac
Exclamation Major Security Flaw in 2.0.2

Admin Edit: User hdm42 appears to be the original source for this flaw discovery.
-----------------

2.0.2 gives almost full access to the iPhone even while under password protection...

Steps to Reproduce

Set iPhone to use passcode lock, have contacts marked as Favorites with links, phone numbers, addresses, etc in address book entry.

Tap "Emergency Call" keypad from passcode entry screen.

Double-tap home button.

Tap blue arrow next to contact's name. You now have full access to applications such as Safari, complete Contacts list, SMS, Maps, "full" Phone access, and Mail by accessing various entries on the Favorite's page, i.e. tapping their home page brings up a full, unrestricted Safari.

Last edited by arn; Aug 29, 2008 at 09:05 PM.
greenmymac is offline   0 Reply With Quote
Old Aug 26, 2008, 09:31 PM   #2
rwd hero
macrumors 6502
 
Join Date: Aug 2008
Location: Baltimore, Maryland
WOW! I cant believe Apple would release an update with a security flaw like this. I cant wait for 2.1...
rwd hero is offline   0 Reply With Quote
Old Aug 26, 2008, 09:44 PM   #3
GoCubsGo
macrumors Nehalem
 
GoCubsGo's Avatar
 
Join Date: Feb 2005
I refuse to move to 2.02 so I cannot try, but holy ****! I tried it on 2.01 and guess what? It works the same way!

How in the world did you find this? And it is a huge flaw. Did you report it to Apple? I think I'm going to (or at least toss it on Digg so people know), it may be all in vain, but at least it's a start.

Last edited by GoCubsGo; Aug 26, 2008 at 09:51 PM.
GoCubsGo is offline   0 Reply With Quote
Old Aug 26, 2008, 09:47 PM   #4
SFStateStudent
macrumors 604
 
SFStateStudent's Avatar
 
Join Date: Aug 2007
Location: San Francisco California, USA
Send a message via AIM to SFStateStudent Send a message via Yahoo to SFStateStudent Send a message via Skype™ to SFStateStudent
Wow! Wow! And Wow!
__________________
MBP 2.5GHz 640GB 4GB RAM Mac Pro iPhone 4S iOS 5 Black 64GB AC+ NEW iPad Apple TV 2G
SFStateStudent is offline   0 Reply With Quote
Old Aug 26, 2008, 09:58 PM   #5
rockinrocker
macrumors 65816
 
Join Date: Aug 2006
yeah, that's messed up.
__________________
MBP 2011 15" - Mac Mini 2011 2.3
Mac Pro '08 - iP5 - iPad 3
rockinrocker is offline   0 Reply With Quote
Old Aug 26, 2008, 10:00 PM   #6
Niiro13
macrumors 68000
 
Join Date: Feb 2008
Location: Illinois
Send a message via AIM to Niiro13 Send a message via MSN to Niiro13 Send a message via Yahoo to Niiro13
Oh, DANG! That's so...wow...

See you on the front page .
Niiro13 is offline   0 Reply With Quote
Old Aug 26, 2008, 10:10 PM   #7
mcdj
Banned
 
Join Date: Jul 2007
Location: NYC
you *did* send feedback to apple on this, yes?
mcdj is offline   0 Reply With Quote
Old Aug 26, 2008, 10:12 PM   #8
Sirobin
macrumors 6502
 
Join Date: May 2008
Location: California
Send a message via AIM to Sirobin
It doesn't work for me, double tapping just takes me to the iPod screen.
__________________
Mac Pro, 2.66 Hexacore, 20 GB RAM, 680, 256GB SSD
MBP, 2.5 Ghz, 4 GB RAM, HD 4000
iPhone 5 32 GB (Black)
Sirobin is offline   0 Reply With Quote
Old Aug 26, 2008, 10:15 PM   #9
JPIndustrie
macrumors 6502
 
Join Date: Mar 2008
Location: Queens, NY
This is awesome! SEcret doors!

Can't wait till this is on gizmodo/engadget...etc.
JPIndustrie is offline   0 Reply With Quote
Old Aug 26, 2008, 10:18 PM   #10
AndroidSUCKS
macrumors newbie
 
Join Date: Jul 2008
Quote:
Originally Posted by greenmymac View Post
2.0.2 gives almost full access to the iPhone even while under password protection...

Steps to Reproduce

Set iPhone to use passcode lock, have contacts marked as Favorites with links, phone numbers, addresses, etc in address book entry.

Tap "Emergency Call" keypad from passcode entry screen.

Double-tap home button.

Tap blue arrow next to contact's name. You now have full access to applications such as Safari, complete Contacts list, SMS, Maps, "full" Phone access, and Mail by accessing various entries on the Favorite's page, i.e. tapping their home page brings up a full, unrestricted Safari.
Why don't we find guys like you QA? I doubt anyone in the iPhone QA dept is even capable of doing what you did.
AndroidSUCKS is offline   0 Reply With Quote
Old Aug 26, 2008, 10:19 PM   #11
marksman
Banned
 
Join Date: Jun 2007
I tried this and all my iPhone did is say:

"Would you like to play a game?"
marksman is offline   0 Reply With Quote
Old Aug 26, 2008, 10:20 PM   #12
ki2594
macrumors 6502a
 
Join Date: Apr 2008
Location: Carmel, IN.
Send a message via Skype™ to ki2594
Quote:
Originally Posted by marksman View Post
I tried this and all my iPhone did is say:

"Would you like to play a game?"
lmfao wth
__________________
MacBook Air (2012): 2.0ghz i7, 8GB RAM 256GB SSD
iPad mini 16GB Black
iPhone 5 64GB Black
ki2594 is offline   0 Reply With Quote
Old Aug 26, 2008, 10:20 PM   #13
Niiro13
macrumors 68000
 
Join Date: Feb 2008
Location: Illinois
Send a message via AIM to Niiro13 Send a message via MSN to Niiro13 Send a message via Yahoo to Niiro13
Quote:
Originally Posted by Sirobin View Post
It doesn't work for me, double tapping just takes me to the iPod screen.
You probably have the home button set to iPod.

I just tried it and it works with the iPod setting.

Good thing that if you set double tap to Home that it simply brings you back to the passcode screen.

So it only works if you have it set to Favorites or iPod.
Niiro13 is offline   0 Reply With Quote
Old Aug 26, 2008, 10:21 PM   #14
Cynicalone
macrumors 68040
 
Cynicalone's Avatar
 
Join Date: Jul 2008
Location: Okie land
How did that slip threw
Cynicalone is offline   0 Reply With Quote
Old Aug 26, 2008, 10:21 PM   #15
Eric.
macrumors regular
 
Join Date: Mar 2008
Quote:
Originally Posted by Sirobin View Post
It doesn't work for me, double tapping just takes me to the iPod screen.
That should only happen when you are listening to music, unless you have set the double-tap shortcut to be the iPod rather than favorites. If anyone is truly concerned about this all you should have to do is change that shortcut. Is it really worth the trouble? If someone steals your iPhone they aren't going to give it back when they find out that they can't make this security breach.

edit: And tree'd.
Eric. is offline   0 Reply With Quote
Old Aug 26, 2008, 10:23 PM   #16
mcdj
Banned
 
Join Date: Jul 2007
Location: NYC
Quote:
Originally Posted by Cynicalone View Post
How did that slip threw
Same way you typed "threw" when you meant "through".
mcdj is offline   0 Reply With Quote
Old Aug 26, 2008, 10:25 PM   #17
macduke
macrumors 68030
 
macduke's Avatar
 
Join Date: Jun 2007
Location: Columbia, MO
Quote:
Originally Posted by greenmymac View Post
2.0.2 gives almost full access to the iPhone even while under password protection...
Dude that is some crazy stuff. You sir, are one crazy hacker. I've never heard of this before on any site. This needs to be sent out to Giz, Engadget, Digg, everyone.

The fix FTW: disable double tapping of home button in Settings > General > Home Button > Checkmark Home and it will kick it back out of the emergency call screen when they double tap. If you don't care about someone listening to your iTunes library, then just select iPod instead or you can leave this setting alone if it's already set, which it was on my iPhone originally.
__________________
15" Retina MacBook Pro / Quad 2.6GHz Core i7 / 16GB / 512GB SSD
128GB iPhone 6 Plus / 64GB iPad Mini Retina LTE / Original iPhone & iPad
Canon 7D / 24-105L / 100-400L / Sony RX100 / Xbox One
macduke is offline   0 Reply With Quote
Old Aug 26, 2008, 10:27 PM   #18
joekix
macrumors 6502
 
Join Date: Feb 2007
Location: earth, long beach CA to be exact
Quote:
Originally Posted by mcdj View Post
Same way you typed "threw" when you meant "through".
That was funny.
__________________
11.6" MBA ultimate 1.6 ghz 4gb 128gb
17" iMac g4 1.25 ghz 1.25gb 80gb
27" iMac 2.7 ghz 16gb 1tb
13" MacBook 2.2 ghz 4gb 250gb
joekix is offline   0 Reply With Quote
Old Aug 26, 2008, 10:33 PM   #19
Eric.
macrumors regular
 
Join Date: Mar 2008
Quote:
Originally Posted by macduke View Post
Dude that is some crazy stuff. You sir, are one crazy hacker. I've never heard of this before on any site. This needs to be sent out to Giz, Engadget, Digg, everyone.

The fix FTW: disable double tapping of home button in Settings > General > Home Button > Checkmark Home and it will kick it back out of the emergency call screen when they double tap. If you don't care about someone listening to your iTunes library, then just select iPod instead or you can leave this setting alone if it's already set, which it was on my iPhone originally.
By default it goes to favorites, at least with my 3G it does...However it does go to the iPod by default if you have it set to do so while playing music.
Eric. is offline   0 Reply With Quote
Old Aug 26, 2008, 10:41 PM   #20
PoitNarf
macrumors 65816
 
PoitNarf's Avatar
 
Join Date: May 2007
Location: Northern NJ
Wow, this deserves to be on the front page! Good find.
PoitNarf is offline   0 Reply With Quote
Old Aug 26, 2008, 10:45 PM   #21
Cynicalone
macrumors 68040
 
Cynicalone's Avatar
 
Join Date: Jul 2008
Location: Okie land
Quote:
Originally Posted by mcdj View Post
Same way you typed "threw" when you meant "through".
Ok I laughed at that... an I'm not going to edit it and fix it either.
Cynicalone is offline   0 Reply With Quote
Old Aug 26, 2008, 10:55 PM   #22
PoitNarf
macrumors 65816
 
PoitNarf's Avatar
 
Join Date: May 2007
Location: Northern NJ
Wow, just tried this on my iPhone and can't believe that it actually works. Can't get into Safari since none of my favorite contacts have any webpages associated with them, but it's still scary that anyone would be able to call, email or text message my closest friends and family without having any clue as to what my passcode is.
PoitNarf is offline   0 Reply With Quote
Old Aug 26, 2008, 11:01 PM   #23
firstapple
macrumors 6502a
 
firstapple's Avatar
 
Join Date: Sep 2007
Holy crap! I too just tried this and replicated it just as you said. This is crazy! Apple needs to fix this and fast. I too am going to send a report to Apple regarding this. Very nice catch!
__________________
64GB iPhone 5s | 64GB iPad Mini Retina (Wifi) | Apple TV 2nd and 3rd Gen | Nikon D7000
27" Alum iMac 2.7GHz i5 12GB RAM 1TB HD | 13" Retina MacBook Pro 2.4GHz 8GB RAM
firstapple is offline   0 Reply With Quote
Old Aug 26, 2008, 11:23 PM   #24
View
macrumors regular
 
Join Date: Apr 2007
Wow, sounds like someone at Apple is about to be yelled at or get fired...
Nothing is perfect, but this is quite unacceptable.
It's not a major problem for me since I don't really use that feature, but I'm sure that shows the unreliability the iPhone has especially for high-level agents that need to secure their information.
View is offline   0 Reply With Quote
Old Aug 26, 2008, 11:25 PM   #25
Niiro13
macrumors 68000
 
Join Date: Feb 2008
Location: Illinois
Send a message via AIM to Niiro13 Send a message via MSN to Niiro13 Send a message via Yahoo to Niiro13
I see 2.0.3 in the horizon.
Niiro13 is offline   0 Reply With Quote

Reply
MacRumors Forums > iPhone, iPod and iPad > iPhone

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Chinese Security Team Exploits Safari Security Flaw at PWN2OWN MacRumors Mac Blog Discussion 30 Mar 17, 2014 01:12 PM
Major security flaw! gurbinav iOS 7 14 Sep 20, 2013 10:41 AM
Major iOS security flaw. CylonGlitch iOS 6 21 Feb 16, 2013 02:47 AM
I have just discovered a major security flaw in iOS 6.1 S1RiOS iPhone 71 Feb 15, 2013 10:20 AM
I think I have found a major security flaw with the firmware password feature kevinsa OS X 10.8 Mountain Lion 8 Sep 2, 2012 01:08 PM

Forum Jump

All times are GMT -5. The time now is 01:29 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC