Slashdot Mirror

← Back to Stories (view on slashdot.org)

iPhone Bug Allows SMS Spoofing

Posted by Soulskill on from the working-as-intend-ish dept.

Trailrunner7 writes "The iPhone SMS app contains a quirky bug that could allow someone to send a user a text message that appears to come from any number that the sender specifies. The researcher who discovered the bug said it could be used by attackers to spoof messages from a bank or credit card company and send the victim to a target site controlled by the attacker. The issue lies in the way iOS implements a section of the SMS message called User Data Header, which has a number of options, one of which allows the user to change the phone number that the text message appears to come from. The advent of mobile banking apps, some of which use SMS messages for out-of-band authentication, makes this kind of attack vector perhaps more worrisome and useful for attackers than it would seem at first blush."

1 of 92 comments (clear)

  1. Re:What is old is new again... by stephanruby · · Score: 4, Interesting

    Lovely fail there since a lot of sites use SMS for some sort of authentication, Google, and Blizzard among them.

    Yes, but even if you can spoof the sms from header? How are you going to guess the code they send you?

    Notice, the same thing can be done with emails and even http requests. It's easy to forge the headers on those, but if a site implements only half of a handshake without sending back a token to the originating address for two-way verification, then it's the web site that is deemed insecure, not the client.