Major Security Flaw in 2.0.2

Discussion in 'iPhone' started by greenmymac, Aug 26, 2008.

  1. macrumors 6502a

    greenmymac

    Joined:
    Oct 25, 2007
    Location:
    Tulsa, Ok
    #1
    Admin Edit: User hdm42 appears to be the original source for this flaw discovery.
    -----------------

    2.0.2 gives almost full access to the iPhone even while under password protection...

    Steps to Reproduce

    Set iPhone to use passcode lock, have contacts marked as Favorites with links, phone numbers, addresses, etc in address book entry.

    Tap "Emergency Call" keypad from passcode entry screen.

    Double-tap home button.

    Tap blue arrow next to contact's name. You now have full access to applications such as Safari, complete Contacts list, SMS, Maps, "full" Phone access, and Mail by accessing various entries on the Favorite's page, i.e. tapping their home page brings up a full, unrestricted Safari.
     
  2. macrumors 6502

    Joined:
    Aug 6, 2008
    Location:
    Baltimore, Maryland
    #2
    WOW! I cant believe Apple would release an update with a security flaw like this. I cant wait for 2.1...
     
  3. macrumors Nehalem

    GoCubsGo

    Joined:
    Feb 19, 2005
    #3
    I refuse to move to 2.02 so I cannot try, but holy ****! I tried it on 2.01 and guess what? It works the same way!

    How in the world did you find this? And it is a huge flaw. Did you report it to Apple? I think I'm going to (or at least toss it on Digg so people know), it may be all in vain, but at least it's a start.
     
  4. macrumors 604

    SFStateStudent

    Joined:
    Aug 28, 2007
    Location:
    San Francisco California, USA
    #4
    Wow! Wow! And Wow! :eek:
     
  5. macrumors 65816

    Joined:
    Aug 21, 2006
    #5
    yeah, that's messed up.
     
  6. macrumors 68000

    Joined:
    Feb 12, 2008
    Location:
    Illinois
    #6
    Oh, DANG! That's so...wow...

    See you on the front page :).
     
  7. macrumors 604

    mcdj

    Joined:
    Jul 10, 2007
    Location:
    NYC
    #7
    you *did* send feedback to apple on this, yes?
     
  8. macrumors 6502

    Joined:
    May 6, 2008
    Location:
    California
    #8
    It doesn't work for me, double tapping just takes me to the iPod screen.
     
  9. macrumors 6502a

    JPIndustrie

    Joined:
    Mar 12, 2008
    Location:
    Queens, NY
    #9
    This is awesome! SEcret doors!

    Can't wait till this is on gizmodo/engadget...etc.
     
  10. macrumors newbie

    Joined:
    Jul 15, 2008
    #10
    Why don't we find guys like you QA? I doubt anyone in the iPhone QA dept is even capable of doing what you did.
     
  11. macrumors 603

    marksman

    Joined:
    Jun 4, 2007
    #11
    I tried this and all my iPhone did is say:

    "Would you like to play a game?"
     
  12. macrumors 6502a

    Joined:
    Apr 12, 2008
    Location:
    Carmel, IN.
    #12
    lmfao wth
     
  13. macrumors 68000

    Joined:
    Feb 12, 2008
    Location:
    Illinois
    #13
    You probably have the home button set to iPod.

    I just tried it and it works with the iPod setting.

    Good thing that if you set double tap to Home that it simply brings you back to the passcode screen.

    So it only works if you have it set to Favorites or iPod.
     
  14. macrumors 68040

    Cynicalone

    Joined:
    Jul 9, 2008
    Location:
    Okie land
    #14
    How did that slip threw :eek::confused::eek:
     
  15. macrumors regular

    Joined:
    Mar 30, 2008
    #15
    That should only happen when you are listening to music, unless you have set the double-tap shortcut to be the iPod rather than favorites. If anyone is truly concerned about this all you should have to do is change that shortcut. Is it really worth the trouble? If someone steals your iPhone they aren't going to give it back when they find out that they can't make this security breach.

    edit: And tree'd.
     
  16. macrumors 604

    mcdj

    Joined:
    Jul 10, 2007
    Location:
    NYC
    #16
    Same way you typed "threw" when you meant "through".
     
  17. macrumors 601

    macduke

    Joined:
    Jun 27, 2007
    Location:
    Central U.S.
    #17
    Dude that is some crazy stuff. You sir, are one crazy hacker. I've never heard of this before on any site. This needs to be sent out to Giz, Engadget, Digg, everyone.

    The fix FTW: disable double tapping of home button in Settings > General > Home Button > Checkmark Home and it will kick it back out of the emergency call screen when they double tap. If you don't care about someone listening to your iTunes library, then just select iPod instead or you can leave this setting alone if it's already set, which it was on my iPhone originally.
     
  18. macrumors 6502

    joekix

    Joined:
    Feb 2, 2007
    Location:
    earth, long beach CA to be exact
    #18
    That was funny.
     
  19. macrumors regular

    Joined:
    Mar 30, 2008
    #19
    By default it goes to favorites, at least with my 3G it does...However it does go to the iPod by default if you have it set to do so while playing music.
     
  20. macrumors 65816

    PoitNarf

    Joined:
    May 28, 2007
    Location:
    Northern NJ
    #20
    Wow, this deserves to be on the front page! Good find.
     
  21. macrumors 68040

    Cynicalone

    Joined:
    Jul 9, 2008
    Location:
    Okie land
    #21
    Ok I laughed at that... an I'm not going to edit it and fix it either. :D
     
  22. macrumors 65816

    PoitNarf

    Joined:
    May 28, 2007
    Location:
    Northern NJ
    #22
    Wow, just tried this on my iPhone and can't believe that it actually works. Can't get into Safari since none of my favorite contacts have any webpages associated with them, but it's still scary that anyone would be able to call, email or text message my closest friends and family without having any clue as to what my passcode is.
     
  23. macrumors 6502a

    firstapple

    Joined:
    Sep 25, 2007
    #23
    Holy crap! I too just tried this and replicated it just as you said. This is crazy! Apple needs to fix this and fast. I too am going to send a report to Apple regarding this. Very nice catch!
     
  24. macrumors regular

    Joined:
    Apr 18, 2007
    #24
    Wow, sounds like someone at Apple is about to be yelled at or get fired...
    Nothing is perfect, but this is quite unacceptable.
    It's not a major problem for me since I don't really use that feature, but I'm sure that shows the unreliability the iPhone has especially for high-level agents that need to secure their information.
     
  25. macrumors 68000

    Joined:
    Feb 12, 2008
    Location:
    Illinois
    #25
    I see 2.0.3 in the horizon.
     

Share This Page