A new vulnerability in Safari in iOS 5.x has been found, which can be exploited to spoof URLs in the address bar. Taking advantage of this bug, malicious websites can spoof their domain name to a URL the user might trust, and ask for sensitive information like login credentials, credit card numbers etc.
The discovery was made by David Vieira-Kurz of MajorSecurity, who explains the details behind the vulnerability:
This can be exploited to potentially trick users into supplying sensitive information to a malicious web site, because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they’re visiting another web site than the displayed web site.
The folks at MajorSecurity also set up a demo webpage, where you could reproduce this bug. The webpage is hosted on this link. On tapping the ‘Demo’ button you’d be redirected to a new window, which is actually hosted on MajorSecurity’s servers, but the URL bar would display apple.com.
The Web Views used in third party browsers as well as apps like Twitter don’t seem to exhibit this bug.
This bug can be exploited by phishing sites to get hold of your personal information, so we advise you to be careful when clicking links from sources that you do not trust.
Looks like a minor iOS update would be coming in a few days.