NEWS: Major security flaw in iPhone update 2.0.2

#1 (**permalink**) August 27th, 2008

2.0.2 gives almost full access to the iPhone even while under password
protection...

Steps to Reproduce flaw...

Set iPhone to use passcode lock, have contacts marked as Favorites with
links, phone numbers, addresses, etc in address book entry.

Tap "Emergency Call" keypad from passcode entry screen.

Double-tap home button.

Tap blue arrow next to contact's name. You now have full access to
applications such as Safari, complete Contacts list, SMS, Maps, "full"
Phone access, and Mail by accessing various entries on the Favorite's
page, i.e. tapping their home page brings up a full, unrestricted Safari.

#2 (**permalink**) August 27th, 2008

iPhone News <invalid@nospam.net> wrote in news:invalid-
60961C.18541527082008@news.giganews.com:

> 2.0.2 gives almost full access to the iPhone even while under password
> protection...
>
> Steps to Reproduce flaw...
>
> Set iPhone to use passcode lock, have contacts marked as Favorites with
> links, phone numbers, addresses, etc in address book entry.
>
> Tap "Emergency Call" keypad from passcode entry screen.
>
> Double-tap home button.
>
> Tap blue arrow next to contact's name. You now have full access to
> applications such as Safari, complete Contacts list, SMS, Maps, "full"
> Phone access, and Mail by accessing various entries on the Favorite's
> page, i.e. tapping their home page brings up a full, unrestricted Safari.

I'm shocked!

#3 (**permalink**) August 27th, 2008

iPhone News <invalid@nospam.net> wrote:

> 2.0.2 gives almost full access to the iPhone even while under password
> protection...
>
> Steps to Reproduce flaw...
>
> Set iPhone to use passcode lock, have contacts marked as Favorites with
> links, phone numbers, addresses, etc in address book entry.
>
> Tap "Emergency Call" keypad from passcode entry screen.
>
> Double-tap home button.
>
> Tap blue arrow next to contact's name. You now have full access to
> applications such as Safari, complete Contacts list, SMS, Maps, "full"
> Phone access, and Mail by accessing various entries on the Favorite's
> page, i.e. tapping their home page brings up a full, unrestricted Safari.

not much of a flaw since nobody even uses passcode lock, but even if
someone did, nobody is going to know about this bug. it's a minor issue
at best.

#4 (**permalink**) August 27th, 2008

On 8/27/08 6:54 PMAug 27, "iPhone News" <invalid@nospam.net> wrote:

> 2.0.2 gives almost full access to the iPhone even while under password
> protection...
>
> Steps to Reproduce flaw...
>
> Set iPhone to use passcode lock, have contacts marked as Favorites with
> links, phone numbers, addresses, etc in address book entry.
>
> Tap "Emergency Call" keypad from passcode entry screen.
>
> Double-tap home button.
>
> Tap blue arrow next to contact's name. You now have full access to
> applications such as Safari, complete Contacts list, SMS, Maps, "full"
> Phone access, and Mail by accessing various entries on the Favorite's
> page, i.e. tapping their home page brings up a full, unrestricted Safari.

You left out a critical piece. For this to work, the iPhone settings must
have the double click of HOME set to Phone Favorites.

#5 (**permalink**) August 27th, 2008

"Mike Hofman" <info@recreate68.org> wrote in message
news:48b5e8ef$0$87065$815e3792@news.qwest.net...
> iPhone News <invalid@nospam.net> wrote:
>
>> 2.0.2 gives almost full access to the iPhone even while under password
>> protection...
>>
>> Steps to Reproduce flaw...
>>
>> Set iPhone to use passcode lock, have contacts marked as Favorites with
>> links, phone numbers, addresses, etc in address book entry.
>>
>> Tap "Emergency Call" keypad from passcode entry screen.
>>
>> Double-tap home button.
>>
>> Tap blue arrow next to contact's name. You now have full access to
>> applications such as Safari, complete Contacts list, SMS, Maps, "full"
>> Phone access, and Mail by accessing various entries on the Favorite's
>> page, i.e. tapping their home page brings up a full, unrestricted Safari.
>
> not much of a flaw since nobody even uses passcode lock, but even if
> someone did, nobody is going to know about this bug. it's a minor issue
> at best.

Not much of a problem ? True fanboi. No one is going to know about this bug
? You find a iPhone and do a Google on how to unlock passcode, your going to
find this and others.

#6 (**permalink**) August 27th, 2008

"Kevin Weaver" <kevinkeithweaver@sbcglobal.net> wrote in
news:Jtmtk.19569$mh5.1497@nlpi067.nbdc.sbc.com:

> Not much of a problem ? True fanboi. No one is going to know about
> this bug ? You find a iPhone and do a Google on how to unlock
> passcode, your going to find this and others.
>

I'm sure glad Micro$oft doesn't have these poo poo fanbois trying to
deflect everyone pointing out flaws. XP would have been DOOMED!

#7 (**permalink**) August 28th, 2008

In article <Jtmtk.19569$mh5.1497@nlpi067.nbdc.sbc.com>,
"Kevin Weaver" <kevinkeithweaver@sbcglobal.net> wrote:

> > not much of a flaw since nobody even uses passcode lock, but even if
> > someone did, nobody is going to know about this bug. it's a minor issue
> > at best.
>
> Not much of a problem ? True fanboi. No one is going to know about this bug
> ? You find a iPhone and do a Google on how to unlock passcode, your going to
> find this and others.

no fanboy, just a realist. why you don't want to look at facts is your
problem, not mine.

fact is, far less than 1% use a passcode on their iphone, even fewer
have their home button set to "favorites", then a fraction of those even
lose their iphone in the first place, then couple that with anyone that
has even heard of this bug in the criminal world and you have far less
than 5 people that this could affect.

#8 (**permalink**) August 28th, 2008

"Mike Hofman" <info@recreate68.org> wrote in message
news:48b62f84$0$89392$815e3792@news.qwest.net...
> In article <Jtmtk.19569$mh5.1497@nlpi067.nbdc.sbc.com>,
> "Kevin Weaver" <kevinkeithweaver@sbcglobal.net> wrote:
>
>> > not much of a flaw since nobody even uses passcode lock, but even if
>> > someone did, nobody is going to know about this bug. it's a minor issue
>> > at best.
>>
>> Not much of a problem ? True fanboi. No one is going to know about this
>> bug
>> ? You find a iPhone and do a Google on how to unlock passcode, your going
>> to
>> find this and others.
>
> no fanboy, just a realist. why you don't want to look at facts is your
> problem, not mine.
>
> fact is, far less than 1% use a passcode on their iphone, even fewer
> have their home button set to "favorites", then a fraction of those even
> lose their iphone in the first place, then couple that with anyone that
> has even heard of this bug in the criminal world and you have far less
> than 5 people that this could affect.

Where did you get this *Less then 1% figure* from ? Link ?

#9 (**permalink**) August 28th, 2008

In message <C4DB6480.426ABA%rlhaar@comcast.net> Robert Haar
<rlhaar@comcast.net> wrote:

>You left out a critical piece. For this to work, the iPhone settings must
>have the double click of HOME set to Phone Favorites.

While true, this is the default, and the vast majority of users never
touch Settings.

#10 (**permalink**) August 28th, 2008

Kevin Weaver wrote:
> "Mike Hofman" <info@recreate68.org> wrote in message
> news:48b62f84$0$89392$815e3792@news.qwest.net...
>> In article <Jtmtk.19569$mh5.1497@nlpi067.nbdc.sbc.com>,
>> "Kevin Weaver" <kevinkeithweaver@sbcglobal.net> wrote:
>>
>>>> not much of a flaw since nobody even uses passcode lock, but even
>>>> if someone did, nobody is going to know about this bug. it's a
>>>> minor issue at best.
>>>
>>> Not much of a problem ? True fanboi. No one is going to know about
>>> this bug
>>> ? You find a iPhone and do a Google on how to unlock passcode, your
>>> going to
>>> find this and others.
>>
>> no fanboy, just a realist. why you don't want to look at facts is
>> your problem, not mine.
>>
>> fact is, far less than 1% use a passcode on their iphone, even fewer
>> have their home button set to "favorites", then a fraction of those
>> even lose their iphone in the first place, then couple that with
>> anyone that has even heard of this bug in the criminal world and you
>> have far less than 5 people that this could affect.
>
> Where did you get this *Less then 1% figure* from ? Link ?
>
Yeah, I'm curious about that too. I passcode all of my PDA devices (I have
3). I have sensitive information on them and would really squirm if one were
lost.

Of course, if you're one of those people who just use them as a toy, putting
just a few of your friends' names and numbers on them, and an occasional
"Meet Mom at the Mall" message on the Calendar, along with 7GB of heavy
metal music, that would explain your perspective.

Some people actually use them as TOOLS, keeping important passwords, bank
account numbers, social security numbers, important business contacts,
birthdate information on them, as well as important meeting places on that
calendar. To NOT password protect them is pure foolhardiness. Though I
understand that passwords can be broken, at least discourage the majority of
people, outside of the "pros", who might 'find' your device from tampering
with it.

Hey, I had a non-password protected GPS stolen out of my car about a year
ago. I had all the places I go to programmed into it, including my home
address and place of business, besides other important destinations. Even
that relatively inconsequential stripping of my privacy awakened me to the
dangers of not passcoding. Needless to say, the replacememnt GPS I got
afterwards is passcoded.