iPhone Bug Allows SMS Spoofing 92
Trailrunner7 writes "The iPhone SMS app contains a quirky bug that could allow someone to send a user a text message that appears to come from any number that the sender specifies. The researcher who discovered the bug said it could be used by attackers to spoof messages from a bank or credit card company and send the victim to a target site controlled by the attacker. The issue lies in the way iOS implements a section of the SMS message called User Data Header, which has a number of options, one of which allows the user to change the phone number that the text message appears to come from. The advent of mobile banking apps, some of which use SMS messages for out-of-band authentication, makes this kind of attack vector perhaps more worrisome and useful for attackers than it would seem at first blush."
Re:What is old is new again... (Score:5, Interesting)
Lovely fail there since a lot of sites use SMS for some sort of authentication, Google, and Blizzard among them.
Yes, but even if you can spoof the sms from header? How are you going to guess the code they send you?
Notice, the same thing can be done with emails and even http requests. It's easy to forge the headers on those, but if a site implements only half of a handshake without sending back a token to the originating address for two-way verification, then it's the web site that is deemed insecure, not the client.
Re:Problem with the iPhone, or the cell system? (Score:4, Interesting)
No, the receiving IPhone is using data that comes from the sending phone rather than the tower. This is definitely an IPhone issue.
Not limited to iPhone. I have yet to find an Android SMS app that doesn't discard the sending "number" in favor of anything that looks like an email address in the body of the message.
T-Mobile has an email to SMS gateway that copies the From and Subject headers into the front of the message separated by '/'. They send these SMS from a number in the 3-4 thousand range, and keep a back-mapping so a reply to that SMS number will go back to the email sender. EVERY SMS app I've seen on Android pulls the email address from the body of the SMS message and throws away the reply-to number. That means I can never reply to an email I get via SMS, except through the phone's email app. Which has a different email address associated with it.
Anyone know an SMS app for Android that does NOT do this?