iPhone Security Hole Discovered - View iPhone Passwords

[Kyle Matthews]

Just submitted to Apple as a bug, rpetrich (developer of the ActionMenu packages in Cydia) discovered an interesting security bug in the iPhone firmware.

If a password is inputted in a field, shake to undo, and you will be able to see the character you are deleting. Simply repeat this for every character, and you have the password.

Obviously this isn't an issue that would be useful for those with a criminal bent, as you'd have to be within grabbing distance of someone who input their password, DIDN'T navigate off the page, and then left their iPhone... but a security bug none-the-less. EDIT: rpetrich lets us know, this also works in any apps that save passwords (such as most Twitter apps) - making this bug much more severe.

EDIT AGAIN: This seems to have been fixed in FW 3.1. Which is NOT a good enough reason to upgrade yet, heh - wait for the jailbreak.

EDIT 3: The guys over at NeoWin made up a video showing this bug:



You can submit security bugs to Apple here.

rpetrich's Twitter

[Melech518]

What about the ones who have auto-fill turned on? Doesnt that remember passwords hence the bug would work for someone to steal your password if they had your device?

[FURBY8704]

oh my oh my now thats scary =S

which FW s this for??...3.1??

[RandyC]

Hmmm tried it on my phone in Safari but doesn't seem to happen to me. Maybe I'm doing it wrong? On iPhone 3G 3.1

[ifonemaniac]

its not a defect...its a feature..

[TheOrioles33]

Hmmm tried it on my phone in Safari but doesn't seem to happen to me. Maybe I'm doing it wrong? On iPhone 3G 3.1

It's been fixed for for 3.1. You're good.

[sucram6791]

ya this didnt happen to me in the youtube app

[mrguy]

all i wanna know is "will i ever be able to jailbreak 3.1 or not??"

[Melech518]

all i wanna know is "will i ever be able to jailbreak 3.1 or not??"

Don't hijack this thread. It has absolutely nothing to do with a jailbeak...
Visit http://blog.iphone-dev.org/ for info on a jailbreak

[SVD85]

if you are trying to do it yourself to see if it works, you have to wait a bit after you type your password or after you start to delete each character or else when u shake to undo, it will undo the whole password or all of the deletes you did to get to the other characters (if that makes sense) ... this bug def works so an easy fix would be not to auto save passwords or keep your phone tight in your hands when inputting a pw

[StealthBravo]

It works and is amazing.

[Melech518]

^Remind me to keep my phones away from you

[StealthBravo]

good idea. But there are easier ways to get your passwords

[angiepangie]

Don't hijack this thread. It has absolutely nothing to do with a jailbeak...
Visit Dev-Team Blog for info on a jailbreak

Please don't
I'm going crazy with the "When is 3.1 jailbreak out?" posts...

[StealthBravo]

Someone leaked the 3.1 jailbreak on the dev teams blog several hours ago. Wow that must be annoying to deal with those guys posting it every 30 minutes. Dev-Team Blog


Did you erase it angiepangie?

[angiepangie]

They did?! Where??
Perhaps Confucious got to it.. idk.

[TheSlimOne]

Someone leaked the 3.1 jailbreak on the dev teams blog several hours ago. Wow that must be annoying to deal with those guys posting it every 30 minutes. Dev-Team Blog


Did you erase it angiepangie?

Now you have an accomplice to help you stir the pot?
I wish I would have thought of that !
I bet the dev teams blog is now getting blown up with even more hits than it already was.

[angiepangie]

I didn't see it.
Stealth was it on the main post or on an older one?

[Channan]

3GS - 3.0.1 Yep, it works. And definitely not worth losing tethering or my jailbreak altogether.

[angiepangie]

OOOOOHHHHHHHH man... I just got you Stealth..
dammmmnnnnnn I was taking you seriously...
Never againn...