iPhone/iPod touch password hack - reason to upgrade to 3.1?
Mon, 09/14/2009 - 1:08am — Jonny Evans
4540
This simple trick lets you crack the passwords on an iPhone or iPod touch - though it only threatens users who leave their device in hands reach of somebody they can't trust.
The slight flaw can be exploited in almost every available application that stores passwords, including your saved email account passwords.
By simply using the delete button, an unauthorised person can reveal all the characters which make up your password, with the exception of the very first character in the password field. It works when a password field is present with a saved password in it.
The good news? This particular bug seems to have been patched in iPhone Software 3.1.
Perhaps that makes it a good reason to upgrade your Apple device - though users of jailbroken iPhones will probably wait a while.
For you to be able to see the password "dots" you have to be in the application to access the change password functionality, unless someone can point me to an area where that isn't required.
So, unless you have already gotten past the password access, you can't change the password and access the "dots" to reveal the letters, am I right?
If this is the case, it's not really a security issue, unless you are prone to leaving your iPhone lying about, unattended, logged into whatever password-protected application you are in without the iPhone being locked.
No, you are incorrect. If someone can get past your initial lockscreen, ie., you don't pin-protect it, then all they would need to do to get all of your email passwords are go to Settings, Mail, Account, then do the demonstrated technique on your password field.
.
I confirmed this myself this morning with my own 3.0 iPhone 3GS, because, like you, I figured it wasn't a real security issue unless you'd just entered the password, but I was wrong. The flaw is real, and it is serious, in my opinion. Just one more reason I don't understand why anyone would ever NOT pin-lock something like an iPhone that has so much personal information on it.
I have never intentionally used the shake-to-undo feature. I do however get a "nothing to undo" box in my way a couple times a day. Is there a setting to turn the whole thing off!
- though it only threatens users who leave their device in hands reach of somebody they can't trust.
Delicious
Digg
StumbleUpon
Reddit
Facebook
Google
Yahoo
Comments
this is really not serious
this is really not serious from apple!
Yikes, this really does work
Yikes, this really does work on previously saved passwords. VERY bad security hole in my opinion.
Realistically, not that bad if you PIN lock your iPhone, and if you don't, why don't you...?
How did the guy get the
How did the guy get the Rogers logo like that in the top portion of device's screen? Jailbroken?
Rogers is Canada. I see it
Rogers is Canada. I see it whenever I travel to Montreal despite my provider being ATT (no jailbroken)
How do you get there in the first place?
For you to be able to see the password "dots" you have to be in the application to access the change password functionality, unless someone can point me to an area where that isn't required.
So, unless you have already gotten past the password access, you can't change the password and access the "dots" to reveal the letters, am I right?
If this is the case, it's not really a security issue, unless you are prone to leaving your iPhone lying about, unattended, logged into whatever password-protected application you are in without the iPhone being locked.
No, you are incorrect. If
No, you are incorrect. If someone can get past your initial lockscreen, ie., you don't pin-protect it, then all they would need to do to get all of your email passwords are go to Settings, Mail, Account, then do the demonstrated technique on your password field.
.
I confirmed this myself this morning with my own 3.0 iPhone 3GS, because, like you, I figured it wasn't a real security issue unless you'd just entered the password, but I was wrong. The flaw is real, and it is serious, in my opinion. Just one more reason I don't understand why anyone would ever NOT pin-lock something like an iPhone that has so much personal information on it.
I have never intentionally
I have never intentionally used the shake-to-undo feature. I do however get a "nothing to undo" box in my way a couple times a day. Is there a setting to turn the whole thing off!
(I am in 3.1 so this is really a tangent.)
When I type my password in
When I type my password in 1Password-App and shake it then click "Undo Typing" the whole PW is deleted. -> No Problem!
When I enter my pin and shake: Nothing happens, can't undo typing. -> No Problem!
THANK YOU.