• Your favorite

    Apple

    ,

    iPhone

    ,

    iPad

    ,

    iOS

    ,
    Jailbreak
    , and
    Cydia
    site.
  • iPhone Security Hole Discovered - View iPhone Passwords


    Just submitted to Apple as a bug, rpetrich (developer of the ActionMenu packages in Cydia) discovered an interesting security bug in the iPhone firmware.

    If a password is inputted in a field, shake to undo, and you will be able to see the character you are deleting. Simply repeat this for every character, and you have the password.

    Obviously this isn't an issue that would be useful for those with a criminal bent, as you'd have to be within grabbing distance of someone who input their password, DIDN'T navigate off the page, and then left their iPhone... but a security bug none-the-less. EDIT: rpetrich lets us know, this also works in any apps that save passwords (such as most Twitter apps) - making this bug much more severe.

    EDIT AGAIN: This seems to have been fixed in FW 3.1. Which is NOT a good enough reason to upgrade yet, heh - wait for the jailbreak.

    EDIT 3: The guys over at NeoWin made up a video showing this bug:



    You can submit security bugs to Apple here.

    rpetrich's Twitter
    This article was originally published in forum thread: iPhone Security Hole Discovered - View iPhone Passwords started by Kyle Matthews View original post
    Comments 35 Comments
    1. angiepangie's Avatar
      angiepangie -
      Yes.. but that annoying Melech518 isn't around
    1. Melech518's Avatar
      Melech518 -
      Hahaha...you sure about that??

      I pop in and out from time to time...Its always when you and confy are sleeping
    1. angiepangie's Avatar
      angiepangie -
      not at the moment..

      Me and Conf are always asleep at opposite times.
      You pop in when I'm at school (yes.. I can tell who drops by the blog.. even if they don't comment)
    1. Melech518's Avatar
      Melech518 -
      Wait and see how badly I get flamed for the comment I just wrote

      I am done hijacking this thread...sorry PF
    1. angiepangie's Avatar
      angiepangie -
      lols. i'm excited
    1. Khürt's Avatar
      Khürt -
      Quote Originally Posted by poetic_folly View Post

      If a password is inputted in a field, shake to undo, and you will be able to see the character you are deleting. Simply repeat this for every character, and you have the password.
      rpetrich's Twitter
      If this is a security bug then so is leaving your keys in the front door while out or leaving your car running while using the ATM machine in a bad neighbourhood late at night.

      Security vulnerabilities involve a loss of control. That is, in order for a flaw to constitute a security vulnerability, it must be possible for an attacker to compel the victim to submit to the attack despite reasonable efforts to avoid it.
    1. thuwun's Avatar
      thuwun -
      Quote Originally Posted by Khürt View Post
      If this is a security bug then so is leaving your keys in the front door while out or leaving your car running while using the ATM machine in a bad neighbourhood late at night.

      Security vulnerabilities involve a loss of control. That is, in order for a flaw to constitute a security vulnerability, it must be possible for an attacker to compel the victim to submit to the attack despite reasonable efforts to avoid it.
      ^ +1
    1. rwin84's Avatar
      rwin84 -
      Quik fix really. There will be more, props to rpetrich for digging that one up
    1. silent1643's Avatar
      silent1643 -
      Quote Originally Posted by ifonemaniac View Post
      its not a defect...its a feature..
    1. JAG2621's Avatar
      JAG2621 -
      Quote Originally Posted by RandyC View Post
      Hmmm tried it on my phone in Safari but doesn't seem to happen to me. Maybe I'm doing it wrong? On iPhone 3G 3.1
      If you read all of the initial post the bug was fixed in 3.1.

      Quote Originally Posted by Khürt View Post
      If this is a security bug then so is leaving your keys in the front door while out or leaving your car running while using the ATM machine in a bad neighbourhood late at night.

      Security vulnerabilities involve a loss of control. That is, in order for a flaw to constitute a security vulnerability, it must be possible for an attacker to compel the victim to submit to the attack despite reasonable efforts to avoid it.

      +1




      Or just leave your wallet laying out on the table in plain sight in a group of people.
    1. RandyC's Avatar
      RandyC -
      Quote Originally Posted by JAG2621 View Post
      If you read all of the initial post the bug was fixed in 3.1.
      If you read all of the initial post, more carefully, you'd see that it was edited, obviously after I had posted.

      Quote Originally Posted by poetic_folly View Post
      EDIT AGAIN: This seems to have been fixed in FW 3.1. Which is NOT a good enough reason to upgrade yet, heh - wait for the jailbreak.
    1. lokicola's Avatar
      lokicola -
      personally,

      i just dont let anyone i dont know on my iphone....

      but thats just me.
    1. minig's Avatar
      minig -
      landscape theme in picture is nice where can i locate that mmmm
    1. mdc929's Avatar
      mdc929 -
      fortunately i couldnt get it to work :-p
    1. bbillh77's Avatar
      bbillh77 -
      If someone is going to take your phone while you are entering your password they might have earned it However if you save your logins and lose your phone you got it coming. Don't save logins