Mobile Safari Vulnerable To Address Bar Spoofing in iOS 5.1

A new vulnerability in Safari in iOS 5.x has been found, which can be exploited to spoof URLs in the address bar. Taking advantage of this bug, malicious websites can spoof their domain name to a URL the user might trust, and ask for sensitive information like login credentials, credit card numbers etc.
The discovery was made by David Vieira-Kurz of MajorSecurity, who explains the details behind the vulnerability:

The weakness is caused due to an error within the handling of URLs when using javascript’s window.open() method.

This can be exploited to potentially trick users into supplying sensitive information to a malicious web site, because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they’re visiting another web site than the displayed web site.

Although the proof of concept exploit has been tested only on devices running iOS 5.1, we were able to reproduce the bug on iOS 5.0.1 as well.

The folks at MajorSecurity also set up a demo webpage, where you could reproduce this bug. The webpage is hosted on this link. On tapping the ‘Demo’ button you’d be redirected to a new window, which is actually hosted on MajorSecurity’s servers, but the URL bar would display apple.com.

The Web Views used in third party browsers as well as apps like Twitter don’t seem to exhibit this bug.

This bug can be exploited by phishing sites to get hold of your personal information, so we advise you to be careful when clicking links from sources that you do not trust.

Looks like a minor iOS update would be coming in a few days.

[via TNW, YourDailyMac]

Like this post? Share it!