File Under: Mobile

Beware of iPhone Clickjacking: Update to 2.2

Example password jacking on iPhoneAn iPhone clickjacking attack was fixed with last week’s release of the 2.2 software. Prior versions contained a CSS transforms bug that caused iframe content to appear as part of the actual page.

It looks like the bug never saw malicious use in the wild, because the developers who noticed it alerted Apple and kept the bug secret while it was fixed. Like other clickjacking attacks, the most likely use is to get a user to inadvertently click an ad. Although, an even more dangerous example is shown to harvest passwords.

If the StreetView and Maps additions in the latest iPhone software wasn’t enough to get you to download the free update, let this attack be reason enough.

Though the bug was apparently discovered by developer Wayne Pan, it was submitted by jQuery creator John Resig. Resig just keeps showing up for his various work. In addition to jQuery, he’s on the Firebug team at Mozilla, performance testing browsers and creating JavaScript animations.

See also: