BlackBerry Dinged by Phishing Flaw

Research in Motion (RIM) has shipped a fix for a serious security vulnerability that exposes BlackBerry users to phishing attacks.
The certificate handling vulnerability, which carries a CVSS severity score of 6.8, affects all versions of the BlackBerry device software. 

Research in Motion (RIM) has shipped a fix for a serious security vulnerability that exposes BlackBerry users to phishing attacks.

The certificate handling vulnerability, which carries a CVSS severity score of 6.8, affects all versions of the BlackBerry device software. 

The flaw allows malicious hackers to trick BlackBerry device users into connecting to an attacker-controlled Web site, RIM warned in an advisory.

Here’s the gist of the problem:

A malicious user could create a web site that includes a certificate that is purposely altered using null (hidden) characters in the certificate’s Common Name (CN) field or otherwise manipulated to deceive a BlackBerry device user into believing they have connected to a trusted web site.

If the malicious user then performs a phishing-style attack by sending the BlackBerry device user a link to the web site in an SMS or email message that appears to be from a trusted source, and the BlackBerry device user chooses to access that site, the BlackBerry Browser will correctly detect the mismatch between the certificate and the domain name and display a dialog box that prompts the user to close the connection. However, the dialog box does not display null characters, so the user may believe they are connecting to a trusted site and disregard the recommended action to close the connection.

BlackBerry users are urged to download and apply the patch for the BlackBerry Device Software as soon as possible.

In the meantime, RIM recommends that BlackBerry device users exercise caution when clicking on links that they receive in email or SMS messages.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.