[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

iphone email client does not validate ssl certificates

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: iphone email client does not validate ssl certificates
From: Bill Borskey <wborskey@xxxxxxxxx>
Date: Fri, 11 Sep 2009 12:33:33 -0500

Info:

iPod/iPhone standard e-mail application does not validate SSL certificates
and is vulnerable to a MITM (man in the middle attack).

Vulnerable: All versions.

Discovered by: William Borskey wborskey@xxxxxxxxx

Discussion:

The mail application that ships with the iPod/iPhone does not validate SSL
certificates. A malicious user can use software such as ettercap-ng to sniff
email passwords without the application warning the victim that the
certificate may be invalid.

Exploit:

This flaw can be exploited with ettercap-ng.

Follow-Ups:
- Re: iphone email client does not validate ssl certificates
  - From: Pavel Machek

Prev by Date: Re: Regular Expression Denial of Service
Next by Date: [ MDVSA-2009:231 ] htmldoc
Previous by thread: [ MDVSA-2009:230 ] pidgin
Next by thread: Re: iphone email client does not validate ssl certificates
Index(es):
- Date
- Thread