iOS 5.1 Safari Bug Allows Hackers to Spoof URLs: How?

on March 26 2012 10:44 AM
Safari and Major Security's Test Page
Safari and Major Security's Test Page Apple | Major Security

A recently discovered vulnerability in Apple's mobile Safari Web browser allows malicious Web sites to display a URL that is not the Web site's actual address. This can trick users into submitting sensitive personal information. So iOS 5.1 users, beware.

Error in Handling URLs

This security issue involving address bar spoofing was discovered by David Vieira-Kurz of German security firm Major Security. Apparently, it is an error in how mobile Safari in iOS 5.1 handles URLs when using Javascript's window.open() method. Malicious Web sites can exploit this vulnerability to display custom URLs.

This can be exploited to potentially trick users into supplying sensitive information to a malicious Web site, because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they're visiting another Web site than the displayed Web site, explained David Vieira-Kurz.

The Vulnerability Affects any iDevice Running iOS 5.1

Tested on Apple's iPhone 4, iPhone 4S, iPad 2 and the new iPad, the vulnerability seems to be affecting any Apple device running its latest mobile operating system, iOS 5.1. Major Security has set up a Web page to demonstrate this exploit, so users can test the vulnerability themselves.

Once a user clicks the demo button on the test page, Apple's mobile browser will open a new window, displaying http://www.apple.com in the address bar. While it all seems legitimate, that URL is in fact displayed through an iframe, hosted by Major Security's servers.

By displaying a seemingly legitimate URL and throwing in some convincing images, a malicious site can easily trick users into believing they are visiting a legitimate Web site, such as Apple's online store.

Expect a Patch Soon, Beware in the Meantime

Major Security has informed Apple of the vulnerability, therefore it will only be a matter of time before a patch is released to address the issue. For now, however, iOS 5.1 users are advised to take extreme caution when entering sensitive information such as their Social Security number, their account information or other personal information. Major Security recommends that users upgrade to the new version of iOS when a patch becomes available.

(reported by Alexandra Burlacu, edited by Surojit Chatterjee)

MUST READ -  iPhone 5 Release Date: Top 10 Features We Want to See in the Next Apple Phone

MUST READ - New iPad 3 Battery Problem: Guess What Apple Has to Say?

MUST READ - Android Ice Cream Sandwich: Which Manufacturers Got the ICS Update Out the Fastest?

More News from IBT MEDIA