Major Security Flaw in 2.0.2

greenmymac

macrumors 6502a
Oct 25, 2007
730
0
0
31
Tulsa, Ok
Admin Edit: User hdm42 appears to be the original source for this flaw discovery.
-----------------

2.0.2 gives almost full access to the iPhone even while under password protection...

Steps to Reproduce

Set iPhone to use passcode lock, have contacts marked as Favorites with links, phone numbers, addresses, etc in address book entry.

Tap "Emergency Call" keypad from passcode entry screen.

Double-tap home button.

Tap blue arrow next to contact's name. You now have full access to applications such as Safari, complete Contacts list, SMS, Maps, "full" Phone access, and Mail by accessing various entries on the Favorite's page, i.e. tapping their home page brings up a full, unrestricted Safari.
 

GoCubsGo

macrumors Nehalem
Feb 19, 2005
35,743
139
0
I refuse to move to 2.02 so I cannot try, but holy ****! I tried it on 2.01 and guess what? It works the same way!

How in the world did you find this? And it is a huge flaw. Did you report it to Apple? I think I'm going to (or at least toss it on Digg so people know), it may be all in vain, but at least it's a start.
 

AndroidSUCKS

macrumors newbie
Jul 15, 2008
19
0
0
2.0.2 gives almost full access to the iPhone even while under password protection...

Steps to Reproduce

Set iPhone to use passcode lock, have contacts marked as Favorites with links, phone numbers, addresses, etc in address book entry.

Tap "Emergency Call" keypad from passcode entry screen.

Double-tap home button.

Tap blue arrow next to contact's name. You now have full access to applications such as Safari, complete Contacts list, SMS, Maps, "full" Phone access, and Mail by accessing various entries on the Favorite's page, i.e. tapping their home page brings up a full, unrestricted Safari.
Why don't we find guys like you QA? I doubt anyone in the iPhone QA dept is even capable of doing what you did.
 

Niiro13

macrumors 68000
Feb 12, 2008
1,717
0
0
Illinois
It doesn't work for me, double tapping just takes me to the iPod screen.
You probably have the home button set to iPod.

I just tried it and it works with the iPod setting.

Good thing that if you set double tap to Home that it simply brings you back to the passcode screen.

So it only works if you have it set to Favorites or iPod.
 

Eric.

macrumors regular
Mar 30, 2008
188
0
0
It doesn't work for me, double tapping just takes me to the iPod screen.
That should only happen when you are listening to music, unless you have set the double-tap shortcut to be the iPod rather than favorites. If anyone is truly concerned about this all you should have to do is change that shortcut. Is it really worth the trouble? If someone steals your iPhone they aren't going to give it back when they find out that they can't make this security breach.

edit: And tree'd.
 

macduke

macrumors G4
Jun 27, 2007
10,536
14,009
0
Central U.S.
2.0.2 gives almost full access to the iPhone even while under password protection...
Dude that is some crazy stuff. You sir, are one crazy hacker. I've never heard of this before on any site. This needs to be sent out to Giz, Engadget, Digg, everyone.

The fix FTW: disable double tapping of home button in Settings > General > Home Button > Checkmark Home and it will kick it back out of the emergency call screen when they double tap. If you don't care about someone listening to your iTunes library, then just select iPod instead or you can leave this setting alone if it's already set, which it was on my iPhone originally.
 

Eric.

macrumors regular
Mar 30, 2008
188
0
0
Dude that is some crazy stuff. You sir, are one crazy hacker. I've never heard of this before on any site. This needs to be sent out to Giz, Engadget, Digg, everyone.

The fix FTW: disable double tapping of home button in Settings > General > Home Button > Checkmark Home and it will kick it back out of the emergency call screen when they double tap. If you don't care about someone listening to your iTunes library, then just select iPod instead or you can leave this setting alone if it's already set, which it was on my iPhone originally.
By default it goes to favorites, at least with my 3G it does...However it does go to the iPod by default if you have it set to do so while playing music.
 

PoitNarf

macrumors 65816
May 28, 2007
1,217
2
0
Northern NJ
Wow, just tried this on my iPhone and can't believe that it actually works. Can't get into Safari since none of my favorite contacts have any webpages associated with them, but it's still scary that anyone would be able to call, email or text message my closest friends and family without having any clue as to what my passcode is.
 

View

macrumors regular
Apr 18, 2007
247
0
0
Wow, sounds like someone at Apple is about to be yelled at or get fired...
Nothing is perfect, but this is quite unacceptable.
It's not a major problem for me since I don't really use that feature, but I'm sure that shows the unreliability the iPhone has especially for high-level agents that need to secure their information.