Apple iPhone phishing vulnerability revealed – Fortify Software warns of embedded links

They’re out to get you. Hackers the world over are gunning for the iPhone – and not all of them are working for the good guys (unlocking the iPhone to work on non-AT&T (NYSE: T) networks is a good thing). Security firm Fortify Software reveals a couple things about the iPhone that make a hacker’s job a little easier. We’re using the term “hacker” a bit loosely here – these securtiy holes are really more like phishing vulnerabilities.

For one thing, your iPhone won’t display the URL of a link embedded into an email, making it easier to trick you into pointing your Safari browser to a scam-a-licious website. Which brings us to our next security flaw. The address bar in Safari displays only a partial URL, making it even easier to hide disguise said scam-a-licious site.

And then there’s the integration of Safari into the iPhone. Brian Chess explains that, “you can embed a telephone number in a web page like this:

<a id=”phone_home” href=”tel:1-900-867-5309″>call me!</a>
You can also write JavaScript that causes the iPhone to initiate the dialing process:<script>
window.document.url = “tel:1-900-867-5309″
</script>”

Now that’s a sobering thought – to think that the iPhone’s dialing function can be hijacked via JavaScript. But then again, you are prompted to initiate the call.  We’re gonna say that the iPhone is still a fairly secure platform.

[Via: Tech.co.uk]