Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Major Security Flaw in 2.0.2

greenmymac

greenmymac

macrumors 6502a
Original poster
Oct 25, 2007
731
0
Tulsa, Ok
Admin Edit: User hdm42 appears to be the original source for this flaw discovery.
-----------------

2.0.2 gives almost full access to the iPhone even while under password protection...

Steps to Reproduce

Set iPhone to use passcode lock, have contacts marked as Favorites with links, phone numbers, addresses, etc in address book entry.

Tap "Emergency Call" keypad from passcode entry screen.

Double-tap home button.

Tap blue arrow next to contact's name. You now have full access to applications such as Safari, complete Contacts list, SMS, Maps, "full" Phone access, and Mail by accessing various entries on the Favorite's page, i.e. tapping their home page brings up a full, unrestricted Safari.
 
I refuse to move to 2.02 so I cannot try, but holy ****! I tried it on 2.01 and guess what? It works the same way!

How in the world did you find this? And it is a huge flaw. Did you report it to Apple? I think I'm going to (or at least toss it on Digg so people know), it may be all in vain, but at least it's a start.
 
greenmymac said:
2.0.2 gives almost full access to the iPhone even while under password protection...

Steps to Reproduce

Set iPhone to use passcode lock, have contacts marked as Favorites with links, phone numbers, addresses, etc in address book entry.

Tap "Emergency Call" keypad from passcode entry screen.

Double-tap home button.

Tap blue arrow next to contact's name. You now have full access to applications such as Safari, complete Contacts list, SMS, Maps, "full" Phone access, and Mail by accessing various entries on the Favorite's page, i.e. tapping their home page brings up a full, unrestricted Safari.
Click to expand...

Why don't we find guys like you QA? I doubt anyone in the iPhone QA dept is even capable of doing what you did.
 
Sirobin said:
It doesn't work for me, double tapping just takes me to the iPod screen.
Click to expand...

You probably have the home button set to iPod.

I just tried it and it works with the iPod setting.

Good thing that if you set double tap to Home that it simply brings you back to the passcode screen.

So it only works if you have it set to Favorites or iPod.
 
Sirobin said:
It doesn't work for me, double tapping just takes me to the iPod screen.
Click to expand...

That should only happen when you are listening to music, unless you have set the double-tap shortcut to be the iPod rather than favorites. If anyone is truly concerned about this all you should have to do is change that shortcut. Is it really worth the trouble? If someone steals your iPhone they aren't going to give it back when they find out that they can't make this security breach.

edit: And tree'd.
 
greenmymac said:
2.0.2 gives almost full access to the iPhone even while under password protection...
Click to expand...

Dude that is some crazy stuff. You sir, are one crazy hacker. I've never heard of this before on any site. This needs to be sent out to Giz, Engadget, Digg, everyone.

The fix FTW: disable double tapping of home button in Settings > General > Home Button > Checkmark Home and it will kick it back out of the emergency call screen when they double tap. If you don't care about someone listening to your iTunes library, then just select iPod instead or you can leave this setting alone if it's already set, which it was on my iPhone originally.
 
macduke said:
Dude that is some crazy stuff. You sir, are one crazy hacker. I've never heard of this before on any site. This needs to be sent out to Giz, Engadget, Digg, everyone.

The fix FTW: disable double tapping of home button in Settings > General > Home Button > Checkmark Home and it will kick it back out of the emergency call screen when they double tap. If you don't care about someone listening to your iTunes library, then just select iPod instead or you can leave this setting alone if it's already set, which it was on my iPhone originally.
Click to expand...

By default it goes to favorites, at least with my 3G it does...However it does go to the iPod by default if you have it set to do so while playing music.
 
Wow, just tried this on my iPhone and can't believe that it actually works. Can't get into Safari since none of my favorite contacts have any webpages associated with them, but it's still scary that anyone would be able to call, email or text message my closest friends and family without having any clue as to what my passcode is.
 
Holy crap! I too just tried this and replicated it just as you said. This is crazy! Apple needs to fix this and fast. I too am going to send a report to Apple regarding this. Very nice catch!
 
Wow, sounds like someone at Apple is about to be yelled at or get fired...
Nothing is perfect, but this is quite unacceptable.
It's not a major problem for me since I don't really use that feature, but I'm sure that shows the unreliability the iPhone has especially for high-level agents that need to secure their information.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back