Mobile Safari Vulnerable To Address Bar Spoofing in iOS 5.1

A new vulnerability in Safari in iOS 5.x has been found, which can be exploited to spoof URLs in the address bar. Taking advantage of this bug, malicious websites can spoof their domain name to a URL the user might trust, and ask for sensitive information like login credentials, credit card numbers etc.
The discovery was made by David Vieira-Kurz of MajorSecurity, who explains the details behind the vulnerability:

The weakness is caused due to an error within the handling of URLs when using javascript’s window.open() method.

This can be exploited to potentially trick users into supplying sensitive information to a malicious web site, because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they’re visiting another web site than the displayed web site.

Although the proof of concept exploit has been tested only on devices running iOS 5.1, we were able to reproduce the bug on iOS 5.0.1 as well.

The folks at MajorSecurity also set up a demo webpage, where you could reproduce this bug. The webpage is hosted on this link. On tapping the ‘Demo’ button you’d be redirected to a new window, which is actually hosted on MajorSecurity’s servers, but the URL bar would display apple.com.

The Web Views used in third party browsers as well as apps like Twitter don’t seem to exhibit this bug.

This bug can be exploited by phishing sites to get hold of your personal information, so we advise you to be careful when clicking links from sources that you do not trust.

Looks like a minor iOS update would be coming in a few days.

[via TNW, YourDailyMac]

  • http://www.motorbeam.com/ fas

    Why cant apple perfect the OS?

    • joe

      tell me one thing that is “perfect”…..troll

    • WillyWonker

      Because they don’t have you working there.

      • Yasser

        +1

  • Jack Gruber

    couldn’t this be used to inject and Jailbreak through safari? Then Patch Later?

    • val

      I don’t see how showing a different URL in the address bar could be used in jailbreaking. This only makes a user think they are on a site that they are not.

      • ItsyourBoy

        That’s what this is about that u can be tricked into thinking your on another site and possibly give up personal info where the hell did u get jailbreaking from ? Learn how to read @val

    • http://iphonehacks.com Rounak

      Nope.

  • Apple Lover/Hater

    What if you’re using a different browser? Can it still work?

    • http://iphonehacks.com Rounak

      “The Web Views used in third party browsers as well as apps like Twitter don’t seem to exhibit this bug.”

    • Alex

      I don’t think so it said only in safari

  • Thunderbolt294

    “so we advise you to be careful when clicking links from sources that you do not trust”
    That’s much harder to do since the introduction of URL shorteners.

  • iBucetas

    bixera(*☻-☻*)