iPhone push on unlocked phones sends AIM message to unintended recipients
Update 7/22: AOL has responded to the reports of misdirected push notifications, and has confirmed that the issue is due to the use of a workaround for push notifications on unlocked phones.
--
If you want to have a hot and steamy exchange with your sweetheart via AIM on the iPhone, you might want to think again -- if you have an unlocked or jailbroken phone.
CrunchGear reports that Till Schadde with Equinux has discovered an iPhone bug where AIM messages could be sent to random people without you even knowing it. Schadde discovered this when he was notified that a message he had sent to his iPhone version of AIM got intercepted by someone else. That person proceeded to contact Schaddle, sharing the screenshot shown at right with him. Schadde posted the screenshot and detailed the bug on Twitter after testing it once more from his computer.
The bug is being blamed on iPhone 3.0's push notification and seems to be limited to unlocked/jailbroken iPhones at the moment.
Edit (12:20 PT): Schadde has tweeted that he was contacted by AOL via phone this morning, and they are currently investigating the issue.
[Via CrunchGear]
Share
Categories
Update 7/22: AOL has responded to the reports of misdirected push notifications, and has confirmed that the issue is due to the use of a...
Add a Comment
Pretty lame post - if the issue is limited to Jailbroken phones - it's not a bug or exploit with iPhone OS 3.0. It's a side effect of running a Jailbroken / hacked version of the OS. No doubt Jailbroken users appreciate knowing about the issue, but ease up on the sensationalistic titles.
July 21 2009 at 4:10 PM Report abuse Permalink rate up rate down ReplyWhat. The. Hell.
I've never read a more poorly researched or understood article in I don't know when. Not only does the author NOT understand the actual subject, but he got it wrong "akschully" pretty good. I'm dropping TUAW for this. I want crap reporting like this, I'll go read Microsoft press releases.
And I had considered TUAW to be one of the last legit Mac news sources out there. Sucks to be wrong.
Solution? Don't hacktivate your iPhone.
July 21 2009 at 2:02 PM Report abuse Permalink rate up rate down ReplyNo: The issue is that it seems as though even messages sent from any AIM client are showing up on 3rd party devices with the hack.
So if you have a legitimate iPhone with push enabled and you send a message to your mom, that might show up on somebody random person's phone if they use the push hack.
Time to stop using AOL or any IM then. For example, I use Beejive and all messages are going to come through Apple as I am registered for push. But then some jerk has my keys by random or other means, so any message meant for me from any IM flavor could get sent to anyone using Beejive. Seems the ball is in Apple's court and this is really going to upset any IM provider no?
July 21 2009 at 1:11 PM Report abuse Permalink rate up rate down Reply@John: From my understanding: if you have a legit iPhone, and your mom has a legit iPhone, then you won't run into this issue.
If you have a legit iPhone, and your mom has an iPhone with the 'push fix' installed (meaning: She has a key/ID for push that's shared by many), then you may run into this problem.
Or, if your mom has a legit iPhone, but her phone was the 'source' for this key (the original key that they propogated to all the other phones using 'push fix'), then you may run into the problem.
If nobody in the loop is using 'push fix' bogus keys, then I don't believe the push problem will occur.
Am I missing something? Isn't this a problem for legitimate users too? Isn't the problem that the notification and message is sent to a hacktivated phone with duplicated keys, potentially from a legit phone?
July 21 2009 at 12:04 PM Report abuse Permalink rate up rate down ReplyBob is completely correct.
This post should not include any form of the word "Jailbreak" anywhere in it. This problem is strictly contained to those who have unlocked their phone.
Hey, TUAW: If some guy modifies their iPhone so that it’s possible to exploit it, you don’t get to call the problems an “iPhone push exploit,†nor do you get to blame it “on iPhone 3.0's push notification.â€
What a useless piece of journalism.
This problem isn't one for jailbreakers. It is one for unlockers. Some people seem to use the terms interchangeably. The Push notification problem was/is only a problem to unlockers. Folks who jailbreak are simply allowing themselves access to unathorized applications. They are still on the AT&T network, unless they do the unlock.
July 21 2009 at 11:31 AM Report abuse Permalink rate up rate down ReplyPresumably only unlockers who haven't activated with a legit SIM beforehand, too. Since in this country you can't walk out of the apple store without an activated phone, and in the US all iphones are on contract so there's no point in unlocking them, I can't see this as being a large group of people.
@Bob: You are correct (I should have been clearer in my past reply).
More specifically: it affects people who "hacktivate" their phones (usually a subset of unlockers), and then install a 'push fix' that installs these bogus keys/identifiers.
If someone has a 'legit' activation (AT&T account, for example), and then "unlock" their phone (without "hacktivation"), then they wouldn't be affected by this push problem. Unless they then downloaded an (unnecessary) 'push fix' from Cydia that destroys their 'valid' push keys/identifiers.
Someone with a 'legit' phone that just 'jailbreaks' their phone would also NOT see this problem (again, unless they then installed the bogus keys on top of their 'valid' ones).
The way push notification works is that the application registers with Apple's servers when it starts up. Apple returns a supposedly unique identifier from their servers and this is what the application uses to send messages. The application says, send this JSON string to this UID, that is all. If some hacked phones are using the exact same activation keys then it's no wonder that the UID is the same for all the phones.
July 21 2009 at 11:08 AM Report abuse Permalink rate up rate down Replyhonestly this really isnt apple's problem... (or at least I could see them saying this...) however, its not going to really inspire people to want to use push notifications if stuff that could be considered confidential, is being broadcast to a lot of people it wasnt destined for.
July 21 2009 at 10:58 AM Report abuse Permalink rate up rate down ReplyHot Apps on TUAW
Deals of the Day
more deals- JVC Motion Sensing Clock Radio with Dual iPod Docks for $55 + free shipping
- Apple iPhone Headset with Mic for $4 + $2 s&h
- miFrame Picture Frame Dock for iPad for $64 + $8 s&h
- Refurb Apple iPod nano 8GB MP3 Player for $99 + free shipping, 16GB for $119
- Hannspree Apple-Shaped 28" 1080p LCD HDTV for $270 + free shipping
- Philips wOOx Alarm Clock Radio for Apple iPod / iPhone for $60 + free shipping
Software Updates
more updates- EFI Firmware Update brings Lion Internet Recovery to 2010-model Macs
- OS X Lion 10.7.3 released with Safari 5.1.3, Wi-Fi bug fix
- Aperture updated to 3.2.2, addresses Photo Stream issue
- Apple updates Keynote to address Lion issues
- Google Search app gets new look on iPad
- Apple releases Apple TV Software Update 4.4.3
Featured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
19 Comments