RIM patches potential BlackBerry phishing flaw


Research In Motion (RIM) has released a patch for a flaw that could have fooled BlackBerry users into visiting malicious websites.

Criminals could create a website that includes a manipulated certificate, and through a phishing-style attack link to the fake website in an SMS or email message that appears to be from someone a user trusts.

Once a user clicked on the link the advisory said: "The BlackBerry browser will correctly detect the mismatch between the certificate and the domain name, and display a dialog box that prompts the user to close the connection.

"However, the dialogue box does not display null characters, so the user may believe they are connecting to a trusted site and disregard the recommended action to close the connection."

The software update resolves the problem in BlackBerry Device Software 4.5 or later, but RIM asked users without the update to exercise caution when clicking on email or SMS links.

If a user ever visited a site that caused a BlackBerry browser dialogue box to warn the user about continuing the connection, they should close the connection even if the box showed that the domain and certificate names were the same, RIM advised.