Major Security Flaw in 2.0.2

aristotle

macrumors 68000
Mar 13, 2007
1,763
5
Canada
Holy crap, I don't give a crap because I don't lock my iPhone since I usually keep it on my person.

It's the same thing with you laptop, as soon as someone has physical access to it, you are screwed anyway.
 

Cynicalone

macrumors 68040
Jul 9, 2008
3,209
0
Okie land
You can really dig into the phone with this, I followed the steps above first then did some exploring. I clicked on a contact in favorites, then clicked on the sms button. Once in sms I backed out of their text log and had access to all my text's. I picked a text I knew had a link in it, that got me to my Safari app. I could surf anywhere I wanted. I picked a contact with an address and had access to Maps and GPS. An email address get's you into mail. I'm sure there is more. Damn talk about dropping the ball.
 

daneoni

macrumors G4
Mar 24, 2006
10,803
79
That is a big gaping hole, props to the OP for discovering this. I'm not too sure enterprise customers will be happy about this...even average consumers. Full access to a phone thats meant to be secured?
 

luigi408

macrumors 6502
Jun 22, 2008
339
63
This is already in the front page of gizmodo.com good job in finding it... I hope they fix it soon!!!
 

eduweb

macrumors newbie
Aug 27, 2008
2
0
About security

While we're on the subject of security, has anyone tried accessing the phone data as follows:

- connect phone (while locked) to a new computer and iTunes
- backup iPhone

If iTunes allows to sync the iPhone with the computer without requiring the passcode to unlock the phone, then ALL the data on the phone is backed up to the computer and can easily be accessed by anyone using the computer.

Not in a position to try this out myself, but I think it just might work... iPhone never asks me for the passcode when I connect it to the computer.
 

greenmymac

macrumors 6502a
Original poster
Oct 25, 2007
730
0
Tulsa, Ok
I have sent it off to Apple Feedback, Apple iTunes Support, Apple Mobile Me Support, TUAW, Someone at Apple is bound to see this!
 

Pooshka

macrumors 65816
Jun 28, 2008
1,162
0
This "Major Security Flaw" has been there since 1.0

And no one detected it until now???

WOW
 

greenmymac

macrumors 6502a
Original poster
Oct 25, 2007
730
0
Tulsa, Ok
While we're on the subject of security, has anyone tried accessing the phone data as follows:

- connect phone (while locked) to a new computer and iTunes
- backup iPhone

If iTunes allows to sync the iPhone with the computer without requiring the passcode to unlock the phone, then ALL the data on the phone is backed up to the computer and can easily be accessed by anyone using the computer.

Not in a position to try this out myself, but I think it just might work... iPhone never asks me for the passcode when I connect it to the computer.
I think all the backup info is encrypted!

This "Major Security Flaw" has been there since 1.0

And no one detected it until now???

WOW
1.0 didn't have the double tap home button option
 

eduweb

macrumors newbie
Aug 27, 2008
2
0
I think all the backup info is encrypted!
If it is encrypted, then that's a new feature in 2.0 or iTunes 7 since back when I was in 1.1.3, I could easily access my SMS and calendar from the SQLITE databases that are backed up on my computer. Of course, it takes some time trying to guess which file is which database, but once that trivial task is done, it's very easy to see the data.

Don't have time to check this now, but I still doubt it's encrypted in any way.
 

greenmymac

macrumors 6502a
Original poster
Oct 25, 2007
730
0
Tulsa, Ok
If it is encrypted, then that's a new feature in 2.0 or iTunes 7 since back when I was in 1.1.3, I coulc easily access my SMS and calendar from the SQLITE databases that are backup up on my computer. Of course, it takes some time trying to guess which file is which database, but once that trivial task is done, it's very easy to see the data.

Don't have time to check this now, but I still doubt it's encrypted in any way.
I wonder what Apple's problem is... Steve jobs has to be sick cause normally this **** would not fly
 

JML42691

macrumors 68020
Oct 24, 2007
2,082
2
Macworld has an article about this now, referencing this thread as to pointing it out:

Macworld Link


And as it states in their article, an Apple spokesperson in London had no knowledge of this flaw, so this very well might be the first that they have heard of it, if so, expect this to be fixed in 2.1, or maybe an unplanned release of 2.0.3 directed only at this problem.
 

mcdj

macrumors G3
Jul 10, 2007
8,861
3,723
NYC
Wirelessly posted (iPhone: Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_0_2 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5C1 Safari/525.20)

Pretty ironic, considering all the hoops developers have to jump through to stay within Apple's SDK boundaries, insuring nothing they do compromises the phone. Apple obviously doesn't need any help from devs; the iPhone is perfectly capable of compromising itself.