While playing with my iPhone I uncovered a security hole which allows unmasking any password which is persisted and can be edited.
This hack is verified to work on software version 3.0 and 3.0.1. The example below explains how to unmask an email password one character at a time.
1. Navigate to the password field in the email settings.
2. Delete the last masked character
3. Shake the phone for the undo function and select undo
4. Write down the unmasked character iPhone shows when the delete is undone
5. Delete the character again (password is 1 shorter then before)
6. Hit the home button
7. Goto step 1 and repeat until all characters are unmasked
After unmasking all of the password, place it back in so the owner is none the wiser.
Given the above, I would suggest always using the Passcode Lock feature to prevent a 3rd party from unmasking your passwords. Also it would be nice if Apple fixes this in the next software release. (note: they did fix the issue!)
2009/09/05
Subscribe to:
Posts (Atom)