Some nice folk with lots of time on their hands at Independent Security Evaluators thought it might be fun to find a vulnerability in the iPhone, and after a couple of weeks of on-again, off-again work, inevitably found one.

Then they followed the hole to its logical conclusion - a full, workable exploit, which probed with tools made by the other nice folk at #iphone dev still feverish trying to crack the phone after a month, can do stuff like steal your SMS messages, address book, call history and voicemail, among other things. This is done using a malicious website opened on Safari on the iPhone.

More a proof of concept than actual malicious intention, the ISE people have informed the mothership so patches can be created, and full disclosure will be made with fanfare in Las Vegas at Black Hat USA 2007 on Aug. 2 at precisely 4:45pm. Meantime, details abound on the net:

Article from the New York Times here.

YouTube video here.

PDF of preliminary technical paper here.

ISE website with instructions here.

If you’re like me, with no push email on my phone but still obsessive about getting the latest from your Gmail inbox, you probably use Google’s freeware GMail Notifier, which updates you as to what’s new as it arrives.

Imagine my horror when I discovered that the Notifier sends your password out in clear text every time it accesses your inbox over the net. Thankfully, I found this out at about the same time a tip was being shared to shut down this loophole. The tip is so useful I can’t resist passing it along.

Here’s what you do, courtesy of a comment by poster Highplace on an O’Reillynet.com thread and repeated on macosxhints.com:

Pull down the Notifier menu (either Calendar or Gmail), hold down Command and Option, and click Preferences on the menu. You’ll see a hidden settings editor. Enter ‘SecureAlways’ in the Key field (upper and lower case must be entered as shown) and 1 in the Value field, then click Set. Quit Notifier and start it up again. From now on all connections with both Gmail & Gcal will be https.

Nice to know.

More blah blah blah.

According to a thread at Hackintosh, late yesterday the very industrious folk over at #iPhone have enabled a full interactive shell in the iPhone OS using the iPhoneInterface app mentioned previously, coupled with some creative soldering involving a resistor and some pins, plus three short commands through iPhoneInterface. The resulting serial console got the hackers an interactive shell with a near complete command list that is a massive step towards achieving their holy grail. (At least that’s how I understand it.)

We officially don’t support this - we’re just reporting it - but nevertheless the world waits with bated breath.

A website that purports to unlock iPhones so they can be used outside of AT&T service (meaning anywhere in the world that uses the GSM system) has been exposed as a fake.

Digg reports that iphoneunlocking.com is a big fat scam to secure iPhone IMEI codes by the truckload, and cites a blog called Stand Your Grounds (which makes me think of messy coffee makers) that claims to prove (a bit unintelligibly) that the site is a fake. Hey, I could have told you that right off.

Americans beware. Non-Americans, wishful thinking. Shame on you.

Not even 24 hours since its release, hackers are hard at work at kracking the iPhone from a 91.5MB iPhone OS System Restore Image now available for download on the internet, and sourced, apparently, from an Apple webserver.

Mac-A-Doodle will not be a party to this by posting a link to the Mac hacker forum where this download is available, although we will say that with a little, um, digging, it can easily be found. (Not that most of us can do anything with it; the DMG from the IPSW file is passworded, and even if you succeeded in decompressing it, is only useful to the precious few who can work the black magic.)

But boy, that was fast, wasn’t it?