iUsability-Pwned!
Lothar informed me about a strange behaviour of the iPhone running OS 3. It seems like the iPhone is automatically opening a browser when joining a network. (See video of the whole probleme here: http://www.vimeo.com/5466236)
The iPhone tries to do the following:
1. DNS querries for www.apple.com
2. Opening http://www.apple.com/library/test/success.html
When both are successful, then fine... the phone gets back "success" and everything is ok.
When both are failing... thats fine as well because then the phone assumes that the internet connection is not up and running.
BUT <-- isn't there always a BUT?!
If the phone can succcessfully querry the name but get back any different content than "Success"
it assumes that there is a captive portal which requires you to authenticate first to get access to the internet.
This is true for many hotspots etc... so Apple was thinking.. damn thats annoying for the user... lets open up
Safari automatically if this special case comes into place :-)
Usability kills security .... together with karmetasploit its a very evil thing. Get Iphones cookies, accounts and maybe even
system control... depending on the bugs you have left to test.
You can see the whole thing as a video @vimeo http://www.vimeo.com/5466236 .... now lets find some new safari bugs :-)
And thank you lothar for the fish.
The iPhone tries to do the following:
1. DNS querries for www.apple.com
2. Opening http://www.apple.com/library/test/success.html
When both are successful, then fine... the phone gets back "success" and everything is ok.
When both are failing... thats fine as well because then the phone assumes that the internet connection is not up and running.
BUT <-- isn't there always a BUT?!
If the phone can succcessfully querry the name but get back any different content than "Success"
it assumes that there is a captive portal which requires you to authenticate first to get access to the internet.
This is true for many hotspots etc... so Apple was thinking.. damn thats annoying for the user... lets open up
Safari automatically if this special case comes into place :-)
Usability kills security .... together with karmetasploit its a very evil thing. Get Iphones cookies, accounts and maybe even
system control... depending on the bugs you have left to test.
You can see the whole thing as a video @vimeo http://www.vimeo.com/5466236 .... now lets find some new safari bugs :-)
And thank you lothar for the fish.
3 Comments:
Hey Max,
I'm not sure I get your point (or Lothar's point) here. What is exposing your ass is the fact that you are joining and unknown and untrusted network, and receiving IP and DNS config from it. Anything you would do from this point on in the network is owned.
Do you just mean that Safari started without being asked for? I don't see a big deal with that. If you joined a network, I would say that the next thing you're doing is browsing (or using applications that need Internet access).
Awesome, truly amazing work!
iPhone App Development
Well, now. More than that. If there is a captive portal, and in the captive portal page you want to do something neat (like playing a video using tag) you're not going to be able to do that, if you don't allow ppl to reach www.apple.com :)
If you add www.apple.com to your allowed sites in the CP then everything works like it should. Other devices work like a charm without crap like this (eg. Android).
Post a Comment
Subscribe to Post Comments [Atom]
<< Home