BlackBerry Phishing Exposure Fixed by RIMResearch in Motion (RIM) has patched a recently discovered security vulnerability which exposes BlackBerry users to phishing attacks.
The vulnerability could allow malicious users to create a web site which includes a specially-crafted certificate by utilizing null characters in the certificate's Common Name (CN) field and trick BlackBerry users into thinking they are connecting to a secure and trusted web site. The malicious user seeking to exploit this vulnerability could then perform a phishing attack by sending this web site link to a BlackBerry user via e-mail or SMS, which would appear to be from a trusted source. When the BlackBerry user chooses to access that web site, the BlackBerry browser will detect a mismatch between the specially-crafted certificate and the domain name. This detection will then prompt the user to close the connection, but users may believe they are still connecting to a trusted site since the dialog box does not display null characters and choose to continue to the malicious web site.
BlackBerry users should obtain and apply the patch for the BlackBerry Device Software. To check updates for BlackBerry Device Software please visit www.blackberry.com/updates.
References:
ZDNet Article
http://blogs.zdnet.com/security/?p=4500
BlackBerry Security Advisory
http://www.blackberry.com/btsc/viewContent.do?externalId=KB19552
Secunia Security Advisory
http://secunia.com/advisories/36875/