Major Security Flaw in 2.0.2

[aristotle]

Holy crap, I don't give a crap because I don't lock my iPhone since I usually keep it on my person.

It's the same thing with you laptop, as soon as someone has physical access to it, you are screwed anyway.

[Cynicalone]

You can really dig into the phone with this, I followed the steps above first then did some exploring. I clicked on a contact in favorites, then clicked on the sms button. Once in sms I backed out of their text log and had access to all my text's. I picked a text I knew had a link in it, that got me to my Safari app. I could surf anywhere I wanted. I picked a contact with an address and had access to Maps and GPS. An email address get's you into mail. I'm sure there is more. Damn talk about dropping the ball.

[sr5878]

i had this same issue in 1.1.4... i posted on the boards about it....

[Phil A.]

That's a great find by the OP, and a big hole left there by Apple!

[daneoni]

That is a big gaping hole, props to the OP for discovering this. I'm not too sure enterprise customers will be happy about this...even average consumers. Full access to a phone thats meant to be secured?

[macwall]

wow... i hope they patch this soon.

[luigi408]

This is already in the front page of gizmodo.com good job in finding it... I hope they fix it soon!!!

[SirCrumpet]

Quote:

Originally Posted by marksman

I tried this and all my iPhone did is say:

"Would you like to play a game?"

Hmmm... A strange game. The only winning move is not to play. How about a nice game of chess?

[tucker101uk]

wow! Just tried this in my 2.0 and it does the same thing... Come on apple!?!!

[Mr. Brown]

That's bad news. Hope they fix it soon.

[BergerFan]

Quote:

Originally Posted by SirCrumpet

Hmmm... A strange game. The only winning move is not to play. How about a nice game of chess?

Thermonuclear war sounds a tad more exciting.

[eduweb]

While we're on the subject of security, has anyone tried accessing the phone data as follows:

- connect phone (while locked) to a new computer and iTunes
- backup iPhone

If iTunes allows to sync the iPhone with the computer without requiring the passcode to unlock the phone, then ALL the data on the phone is backed up to the computer and can easily be accessed by anyone using the computer.

Not in a position to try this out myself, but I think it just might work... iPhone never asks me for the passcode when I connect it to the computer.

[greenmymac]

I have sent it off to Apple Feedback, Apple iTunes Support, Apple Mobile Me Support, TUAW, Someone at Apple is bound to see this!

[Pooshka]

This "Major Security Flaw" has been there since 1.0

And no one detected it until now???

WOW

[greenmymac]

Quote:

Originally Posted by eduweb

While we're on the subject of security, has anyone tried accessing the phone data as follows:

- connect phone (while locked) to a new computer and iTunes
- backup iPhone

If iTunes allows to sync the iPhone with the computer without requiring the passcode to unlock the phone, then ALL the data on the phone is backed up to the computer and can easily be accessed by anyone using the computer.

Not in a position to try this out myself, but I think it just might work... iPhone never asks me for the passcode when I connect it to the computer.

I think all the backup info is encrypted!

Quote:

Originally Posted by Pooshka

This "Major Security Flaw" has been there since 1.0

And no one detected it until now???

WOW

1.0 didn't have the double tap home button option

[Mobile923]

So...

A stranger can have access to the phone app and safari.

... the only two applications that we're all having problems with.

yawn

[greenmymac]

Quote:

Originally Posted by Mobile923

So...

A stranger can have access to the phone app and safari.

... the only two applications that we're all having problems with.

yawn

No they have access to Safari, iPhone app, Contacts, Email, pretty serious to me

[SolRayz]

I have Exchange setup on my iphone which forces you to set a passcode and I can verify that there is no security hole.

[Pooshka]

Quote:

Originally Posted by greenmymac

1.0 didn't have the double tap home button option

OK, let me re-phrase myself: it's been there since the "Home Button Double-clicking" option

Anyway WOW

[eduweb]

Quote:

Originally Posted by greenmymac

I think all the backup info is encrypted!

If it is encrypted, then that's a new feature in 2.0 or iTunes 7 since back when I was in 1.1.3, I could easily access my SMS and calendar from the SQLITE databases that are backed up on my computer. Of course, it takes some time trying to guess which file is which database, but once that trivial task is done, it's very easy to see the data.

Don't have time to check this now, but I still doubt it's encrypted in any way.

[greenmymac]

Quote:

Originally Posted by eduweb

If it is encrypted, then that's a new feature in 2.0 or iTunes 7 since back when I was in 1.1.3, I coulc easily access my SMS and calendar from the SQLITE databases that are backup up on my computer. Of course, it takes some time trying to guess which file is which database, but once that trivial task is done, it's very easy to see the data.

Don't have time to check this now, but I still doubt it's encrypted in any way.

I wonder what Apple's problem is... Steve jobs has to be sick cause normally this **** would not fly

[vrflyer]

Quote:

Originally Posted by Phil A.

That's a great find by the OP, and a big hole left there by Apple!

Uh, doesn't the apple logo have a hole for a reason?

[greenmymac]

Quote:

Originally Posted by vrflyer

Uh, doesn't the apple logo have a hole for a reason?

I also wonder how get Macrumors to front page this!

[JML42691]

Macworld has an article about this now, referencing this thread as to pointing it out:

Macworld Link


And as it states in their article, an Apple spokesperson in London had no knowledge of this flaw, so this very well might be the first that they have heard of it, if so, expect this to be fixed in 2.1, or maybe an unplanned release of 2.0.3 directed only at this problem.

[mcdj]

Wirelessly posted (iPhone: Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_0_2 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5C1 Safari/525.20)

Pretty ironic, considering all the hoops developers have to jump through to stay within Apple's SDK boundaries, insuring nothing they do compromises the phone. Apple obviously doesn't need any help from devs; the iPhone is perfectly capable of compromising itself.