account
search
search

Flaw in Apple's iOS risks message hack

  |   Aug. 20, 2012 at 7:39 PM
| License Photo
SAN FRANCISCO, Aug. 20 (UPI) -- A security flaw in Apple's iOS operating system allows text messages to be spoofed, well-known hacker Pod2g says.

If exploited, the flaw allows someone to send a text message with a different address on the "reply" line from what appears in the "from" field of the message, Pod2g said.

Such a message could appear to be from someone a user trusts, such as a family member, with a message to asking for their bank account details.

Someone replying to the message, thinking they were replying to the family member, could be sending sensitive information almost anywhere.

"Pirates could send a message that seems to come from the bank of the receiver asking for some private information, or inviting them to go to a dedicated Web site," TG Daily quoted Pod2g as saying.

A criminal can take advantage of a feature of text messaging called Protocol Description Unit while hacking a so-called User Data Header so the message appears to come from someone else.

"In a good implementation of this feature, the receiver would see the original phone number and the reply-to one," Pod2g said. "On [an] iPhone, when you see the message, it seems to come from the reply-to number, and you lose track of the origin," he said.

Apple has responded, suggesting iOS users avoid SMS text messaging and use Apple's own iMessage app instead, TechSpot reported.

However, iMessage can only be used if both parties are using an iOS 5 or later device.

Apple should take steps to minimize SMS spoofing instead of using the situation to push iMessage, security expert Seth Bromberger from NCI Security said.

Apple has not committed to making any changes in how reply-to addresses are handled for SMS in its iOS, TechSpot reported.

Related UPI Stories
© 2012 United Press International, Inc. All Rights Reserved. Any reproduction, republication, redistribution and/or modification of any UPI content is expressly prohibited without UPI's prior written consent.
x
Feedback