• Your favorite

    Apple

    ,

    iPhone

    ,

    iPad

    ,

    iOS

    ,
    Jailbreak
    , and
    Cydia
    site.
  • Huge Secuirty Flaw in firmware 2.0.1 and 2.0.2
    Fortunately, there's a way to avoid this obvious security breach until Apple fixes it.

    First, password protect your phone and lock it. Then slide to unlock and do this:

    1. Tap emergency call.
    2. Double tap the home button.

    Done. You are now in your favorites. This seems like a feature, because you may want to have emergency number in your favorites for quick dial. The security problem here is double. The first: anyone picking up your phone can make a call to anyone in your favorites. On top of that, this also opens access to your full Address Book, the dial keypad, and your voice mail.

    If that wasn't bad enough, the second one is even worse: if you tap on the blue arrows next to the names, it will give you full access to the private information in a favorite entry. And it goes downhill from there:

    • If you click in a mail address, it will give you full access to the Mail application. All your mail will be exposed.
    • If there's a URL in your contact (or in a mail message) you can click on it and have full access to Safari.
    • If you click on send text message in a contact, it will give you full access to all your SMS.

    Hopefully, this major security break that fully exposes your most private information will be solved as soon as possible. Until then, you can avoid any potential breach doing the following:

    1. In the iPhone home, go to Settings.
    2. Click on General.
    3. Click on Home Button.
    4. Click on either "Home" or "iPod".

    This way, the double-click on the home button will take the user back to the unlock screen (if you use "Home") or the iPod screen. I recommend using Home. You will lose the ability to quickly access your favorites for a quick call—which is one of my favorite features—but that's better than having all your private mails, contacts, and SMS database compromised. UPDATE: Evidently Apple has a fix coming in their next firmware update, but we've got no word on when that release is planned


    Source: Major Security Flaw in 2.0.2 - Mac Forums and every other iphone news site and our own member RaMod and One1
    This article was originally published in forum thread: Huge Secuirty Flaw in firmware 2.0.1 and 2.0.2 started by .:MirrorminD:. View original post
    Comments 62 Comments
    1. Cicada's Avatar
      Cicada -
      D'oh!
    1. nebulis's Avatar
      nebulis -
      Just read the post and put a pin on my 2.0.2 iPhone 3G. I hit emergancy call and then double tap home. I get taken to my favorites but I DON'T have access to the keypad, contacts or voicemail, just my favorites list. I do though have access to the contacts list through the email app when its locked.
    1. straightryder's Avatar
      straightryder -
      Quote Originally Posted by corizzle View Post
      am i the only one that likes this? i don't have to enter my code to call my home phone or my job. LOVE IT!
      HALAIRIOUS!!!

      My coffee went through my nose. Your a basterd!!! LOL
    1. bballchik's Avatar
      bballchik -
      Yes this is a little hassle, but I have my double tap home button set to iPod, so if someone does this, they'll only be able to listen to my songs
    1. jayson9's Avatar
      jayson9 -
      What a great new feature! And we thought all we had to talk about is the slowness of the 3G network.......... The iPhone is certainly a diamond in the rough!
    1. hartphoto's Avatar
      hartphoto -
      Never mind...
    1. TheOnlyest's Avatar
      TheOnlyest -
      Just install "LockDown" from Cydia and password lock all your apps that you're worried about... problem solved!
    1. Alperovich's Avatar
      Alperovich -
      i personally am not too worried about this, i don't see any point in password protecting my phone anyways, it just makes it that much mroe of a hassel to use the phone, however, again its kinda nice, this flaw,

      if its protected, i can still use double tap to control the ipod on the fly, or make a quick call with out letting someone totally at the phone (should have been the point)

      looks like it'll need fixing but it just seems some ppl are just making this a bigger deal then it really is IMHO
    1. iphoneroeth's Avatar
      iphoneroeth -
      and I don't even have mine locked!
    1. tanaoeurn1987's Avatar
      tanaoeurn1987 -
      now if you aint got no favorites you dont have to worry about anything. and plus the people that steal this iphone from me probably dont know jack **** about it.
    1. LaZARuZ's Avatar
      LaZARuZ -
      I like it no big deal. Some people like to make it to something bigger then it is. Look at it this way you get to an accedent if it's a car or just taking a walk, you hurt yourself bad and poilce comes to help you have no id on you forgot it or want ever yes we all forget or wallets sometimes. Ok so all you got is your phone poilce can go in and look for I.C.E. Or anyone close to you. That's what I think it's used for.
    1. falcon72's Avatar
      falcon72 -
      in a way I kind a like it because when my phone is lock I can make a quick call to the people in my favorites
    1. raxxal's Avatar
      raxxal -
      Quote Originally Posted by A.T View Post
      The person or people who found this out should have kept it to themselves and told Apple.

      Now everyone knows it
      Concurrent!
    1. pacmac's Avatar
      pacmac -
      flaw....? More like FAIL
    1. DarkoNova's Avatar
      DarkoNova -
      Quote Originally Posted by Alperovich View Post
      it just seems some ppl are just making this a bigger deal then it really is IMHO
      I agree. I don't see how this could really be a problem unless you always leave your phone lying around in public, or if you let random people use your phone. If your phone gets stolen, the majority of people would probably just try to resell it without even bothering to look at your information. It's not nearly as big of a problem as it's being made out to be.

      Matt
    1. dale1v's Avatar
      dale1v -
      I've seen the same response all over the net, and it annoys me: "it's not a big deal"
      It's a big problem. This phone is supposed to be approaching:
      Enterprise-ready.
      that means: Security please.

      For Average Joe, having the ability to access contacts and mail through unofficial means may not be a big deal to:
      Average Joe

      For an enterprise who send plenty of confidential emails to employees a day, or a businessman with clients contact details on his phone, having the ability to access private data like this is NOT ON.

      Of the millions of iPhone users globally, can we all really say (with confidence) that all of them will be Average Joe's and that all of them will be kind, pure and just? Please.

      I think some of us need to step out of "everything-is-happy-and-perfect-in-Apple-Land" and start looking at the circumstances and possible consequences of leaving gaps in software that take place in the Real World.
    1. Muggz5's Avatar
      Muggz5 -
      Quote Originally Posted by DarkoNova View Post
      I agree. I don't see how this could really be a problem unless you always leave your phone lying around in public, or if you let random people use your phone. If your phone gets stolen, the majority of people would probably just try to resell it without even bothering to look at your information. It's not nearly as big of a problem as it's being made out to be.

      Matt
      Yeah I really dont see an issue with this. I dont know Id consider it a security breach either. I guess its really no more of a breach then leaving your wallet on the table and walking away. No one in the right mind would really do this, just as I dont leave this phone on my desk or if it left out its at home, and surely my wife wouldnt steal mine since she has one

      Although I think its informative and I did change it from my favorites to just the home screen as suggested. It also reminded me to turn off ipod controls, because nothing is more aggrevating than having the ipod run all day in my pocket because I accidentally somehow double tapped the home key. (which ive done a few times and drained my battery )

      Was this an attempt at a "back door" just in case someone forgot their password and they dont have to reload the firmware? ( I doubt it but it comes to mind) Or do they have ethical hacks that can get through that?

      Also is this extremely important person with these highly classified contacts addresses etc etc so easily available that someone who wants this info can get close enough to physically steal it? Why not instead of going through that much trouble just hack into their computer where they sync and steal it from their address book iTunes syncs to. Or just hack into their email account that they use for this information. You would certainly know about itunes if you knew about favorites and keys to get to those favorites.
      From my experience anything dealing with sensitive information was communicated using a VPN, with a keychain that shows a code changing every 8 minutes.

      So again, this is why I say "its not that big of a deal"
    1. bredfan's Avatar
      bredfan -
      I can't imagine many people who are in a position where confidentiality and security are of the utmost importance, actually using an iPhone as their primary means of information transfer.

      That being said. A security risk is still present and must be remedied. Regardless of the number of people who may perceive it as such.
    1. cursive08's Avatar
      cursive08 -
      Do you remember the sunburst dock made by nate true? lol. back in 1.1.* you click on emergancy call and the sunburst appears to allow access to your whole phone lol. I dont know but it kinda reminds me of this.
    1. qumahlin's Avatar
      qumahlin -
      Quote Originally Posted by dale1v View Post
      I've seen the same response all over the net, and it annoys me: "it's not a big deal"
      It's a big problem. This phone is supposed to be approaching:
      Enterprise-ready.
      that means: Security please.

      For Average Joe, having the ability to access contacts and mail through unofficial means may not be a big deal to:
      Average Joe

      For an enterprise who send plenty of confidential emails to employees a day, or a businessman with clients contact details on his phone, having the ability to access private data like this is NOT ON.

      Of the millions of iPhone users globally, can we all really say (with confidence) that all of them will be Average Joe's and that all of them will be kind, pure and just? Please.

      I think some of us need to step out of "everything-is-happy-and-perfect-in-Apple-Land" and start looking at the circumstances and possible consequences of leaving gaps in software that take place in the Real World.
      Pffft. Your argument would be great if Blackberry's were much different. If someone is trying to steal your phone to get to your corporate data a quick search of the internet will introduce them to many many programs to accomplish the task.

      This pretty much just saves the theif from having to connect the phone to a PC.

      Moral of the story if you are a ENTERPRISE USER concerned about SECURITY then just maybe YOU should be careful with what YOU do with COMPANY PROPERTY.