A French hacker known as pod2g has identified a text-based iOS glitch that allows scammers to spoof their identifies and make it look like text messages are coming from legitimate sources.
The flaw has existed since iPhone was first launched in 2007, and is still not solved in the beta version of iOS 6, the next operating system for iPhone.
Under the protocols handling the exchange of SMS (Short Message Service) text between mobile phones, the sender of a message can technically change the reply-to phone number to something different from the original number, Pod2g explained.
At issue is a section of a text message payload known as User Data Header (UDH), which includes a number of advanced features. One of those features allows the user to change the reply address of the text. You can send a text from your iPhone, for example, but if the person replies, it’ll get sent to your Galaxy S III .
When the option works correctly, pod2g said, the text message recipient will be able to see that they are responding to a different phone number. The recipient phone should either display the secondary number, or “in a good implementation of this feature,” pod2g wrote, the original phone number and the new phone number.
[quote]“On iPhone, when you see the message, it seems to come from the reply-to number, and you [lose] track of the origin,” according to pod2g.[/quote]
This is problematic because it could allow the scammer to send you a text message that appears to be from your bank with a link that asks you to click and verify account information.