Filed under: Bugs/Recalls, iPhone, Jailbreak/pwnage
iPhone push on unlocked phones sends AIM message to unintended recipients
Update 7/22: AOL has responded to the reports of misdirected push notifications, and has confirmed that the issue is due to the use of a workaround for push notifications on unlocked phones.
--
If you want to have a hot and steamy exchange with your sweetheart via AIM on the iPhone, you might want to think again -- if you have an unlocked or jailbroken phone.
CrunchGear reports that Till Schadde with Equinux has discovered an iPhone bug where AIM messages could be sent to random people without you even knowing it. Schadde discovered this when he was notified that a message he had sent to his iPhone version of AIM got intercepted by someone else. That person proceeded to contact Schaddle, sharing the screenshot shown at right with him. Schadde posted the screenshot and detailed the bug on Twitter after testing it once more from his computer.
The bug is being blamed on iPhone 3.0's push notification and seems to be limited to unlocked/jailbroken iPhones at the moment.
Edit (12:20 PT): Schadde has tweeted that he was contacted by AOL via phone this morning, and they are currently investigating the issue.
[Via CrunchGear]
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
mentalsticks said 10:28AM on 7-21-2009
>The exploit is being blamed on iPhone 3.0's push notification and seems to be limited to unlocked/jailbroken iPhones at the moment.
Shouldn't this read: The exploit is limited to iPhone 3.0s with push notification and is blamed on unlocking/jailbreaking iPhones at the moment?
Reply
oz_paulb said 10:37AM on 7-21-2009
The title of the article is VERY misleading/sensationalistic - I thought a true exploit of 'push notification' had been found (until I read - at the very end of the summary -that it only affects jailbroken phones).
Isn't this well known (to the jailbreaking community - the people affected)?
The 'solutions' out there for push notification on jailbreak (as far as I understand) were implemented by grabbing 'push keys'/etc from an authorized phone and then distributing those keys to others.
Many people with these same keys have experienced the problem of getting other people's messages. Presumably it's because these 'keys' are an identifier to Apple, and they are using it to decide where to send messages. If multiple people's phones identify themselves as the same phone, it'll presumably confuse the Apple servers.
If you want 'push' to work, I believe you'll need an officially 'activated' iPhone (or an iPod touch).
I'm a couple of weeks behind on my iPhone 'push notification' news - maybe things have progressed - although I really doubt a solid 'fix' will be released for jailbreak users.
Jim In Holland said 10:45AM on 7-21-2009
Exactly - it should read something like:
"The exploit is limited to users have unlocked/jailbroken a iPhone with the 3.0 OS" - simple, easy to understand and obvious who is to blame. You jailbreak your phone, then expect to see criminals...
Also, TUAW's new linkwhoring is getting to be more than a bit annoying - I'm now debating tossing it from the RSS reader, like I did with Gizmodo and Engadget.
Reply
Brandon said 11:21AM on 7-21-2009
I dumped Giz too. The commenting system sucks and I'm tired of being thrown to their shit-tacular mobile site.
I'm considering dumping TUAW for the simple fact that I can't get to the second page of comments without being redirected to the home page.
Hawkman said 12:05PM on 7-21-2009
Even that's not true, Jim In Holland. It's not jailbreaking that's the problem here, or even unlocking; push notifications won't work on unlocked, or most jailbroken, phones at all.
It's the installing of the popular (but not really dev-team-sanctioned) "push fix" that does this. Because it's not really a fix, it's just using another phone's certificates.
Jim In Holland said 3:04AM on 7-22-2009
While I'd like to think the hacker community is good and all, it's still their fault. Here's why, from the iPhone Blog:
".. for those of you who are unfamiliar with “hackivation”, it’s simply a process that tricks an iPhone into believing it has authorized itself with Apple via iTunes and is ready to be used, but is actually activated by other, non-Apple software.
"These hacktivated iPhones are not being assigned a unique push ID by Apple the way iTunes activiated iPhones with legit SIMs are. One of our readers, Greg, summed it up best in the comments from our last push notification issue post:
" 'The difference is hacktivation, not jailbreaking. There’s a fair bit of crypto involved in the activation process and the “fixes” so far involve taking certs from other phones. This will only work for so long; eventually people are going to have to be on official carriers and paying official plan rates for Push and YouTube and who knows what they’ll cert off in 3.1 or 4.0?'
"The Dev Team seem to be working on a fix but it does not appear it will come anytime soon as they’ve avoided even posting a fix on their blog. Instead, they quietly posted a link on their Twitter page to a very beta fix.
All of this is yet another part of the cat and mouse game, but it’s important to try and understand what’s going on: normal iPhone users should have nothing to worry about at this time."
So now we have the real facts as to why this happens - It's not Apple's fault; if you want to blame someone, as is the common culture, you can choose another party. (I'll choose...Bill O'Reilly. Happy to blame him for everything...)
Ronnyek said 11:04AM on 7-21-2009
honestly this really isnt apple's problem... (or at least I could see them saying this...) however, its not going to really inspire people to want to use push notifications if stuff that could be considered confidential, is being broadcast to a lot of people it wasnt destined for.
Reply
Devon said 11:09AM on 7-21-2009
The way push notification works is that the application registers with Apple's servers when it starts up. Apple returns a supposedly unique identifier from their servers and this is what the application uses to send messages. The application says, send this JSON string to this UID, that is all. If some hacked phones are using the exact same activation keys then it's no wonder that the UID is the same for all the phones.
Reply
Bob said 11:31AM on 7-21-2009
This problem isn't one for jailbreakers. It is one for unlockers. Some people seem to use the terms interchangeably. The Push notification problem was/is only a problem to unlockers. Folks who jailbreak are simply allowing themselves access to unathorized applications. They are still on the AT&T network, unless they do the unlock.
Reply
Tony said 11:35AM on 7-21-2009
Presumably only unlockers who haven't activated with a legit SIM beforehand, too. Since in this country you can't walk out of the apple store without an activated phone, and in the US all iphones are on contract so there's no point in unlocking them, I can't see this as being a large group of people.
oz_paulb said 11:50AM on 7-21-2009
@Bob: You are correct (I should have been clearer in my past reply).
More specifically: it affects people who "hacktivate" their phones (usually a subset of unlockers), and then install a 'push fix' that installs these bogus keys/identifiers.
If someone has a 'legit' activation (AT&T account, for example), and then "unlock" their phone (without "hacktivation"), then they wouldn't be affected by this push problem. Unless they then downloaded an (unnecessary) 'push fix' from Cydia that destroys their 'valid' push keys/identifiers.
Someone with a 'legit' phone that just 'jailbreaks' their phone would also NOT see this problem (again, unless they then installed the bogus keys on top of their 'valid' ones).
Nate said 11:38AM on 7-21-2009
Hey, TUAW: If some guy modifies their iPhone so that it’s possible to exploit it, you don’t get to call the problems an “iPhone push exploit,” nor do you get to blame it “on iPhone 3.0's push notification.”
What a useless piece of journalism.
Reply
macboy14 said 11:48AM on 7-21-2009
Bob is completely correct.
This post should not include any form of the word "Jailbreak" anywhere in it. This problem is strictly contained to those who have unlocked their phone.
Reply
newtonheath71 said 12:04PM on 7-21-2009
Am I missing something? Isn't this a problem for legitimate users too? Isn't the problem that the notification and message is sent to a hacktivated phone with duplicated keys, potentially from a legit phone?
Reply
John said 12:34PM on 7-21-2009
No: The issue is that it seems as though even messages sent from any AIM client are showing up on 3rd party devices with the hack.
So if you have a legitimate iPhone with push enabled and you send a message to your mom, that might show up on somebody random person's phone if they use the push hack.
Reply
newtonheath71 said 1:11PM on 7-21-2009
Time to stop using AOL or any IM then. For example, I use Beejive and all messages are going to come through Apple as I am registered for push. But then some jerk has my keys by random or other means, so any message meant for me from any IM flavor could get sent to anyone using Beejive. Seems the ball is in Apple's court and this is really going to upset any IM provider no?
oz_paulb said 1:19PM on 7-21-2009
@John: From my understanding: if you have a legit iPhone, and your mom has a legit iPhone, then you won't run into this issue.
If you have a legit iPhone, and your mom has an iPhone with the 'push fix' installed (meaning: She has a key/ID for push that's shared by many), then you may run into this problem.
Or, if your mom has a legit iPhone, but her phone was the 'source' for this key (the original key that they propogated to all the other phones using 'push fix'), then you may run into the problem.
If nobody in the loop is using 'push fix' bogus keys, then I don't believe the push problem will occur.
Eric D. said 2:05PM on 7-21-2009
Solution? Don't hacktivate your iPhone.
Reply
Geoff Miller said 2:38PM on 7-21-2009
What. The. Hell.
I've never read a more poorly researched or understood article in I don't know when. Not only does the author NOT understand the actual subject, but he got it wrong "akschully" pretty good. I'm dropping TUAW for this. I want crap reporting like this, I'll go read Microsoft press releases.
And I had considered TUAW to be one of the last legit Mac news sources out there. Sucks to be wrong.
Reply
BOK said 2:56PM on 7-21-2009
TUAW strikes again with another misleading headline and article. Unofficial weblog indeed.
Reply