A recently discovered vulnerability in Apple's mobile Safari Web browser allows malicious Web sites to display a URL that is not the Web site's actual address. This can trick users into submitting sensitive personal information. So iOS 5.1 users, beware.
Error in Handling URLs
This can be exploited to potentially trick users into supplying sensitive information to a malicious Web site, because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they're visiting another Web site than the displayed Web site, explained David Vieira-Kurz.
The Vulnerability Affects any iDevice Running iOS 5.1
Tested on Apple's iPhone 4, iPhone 4S, iPad 2 and the new iPad, the vulnerability seems to be affecting any Apple device running its latest mobile operating system, iOS 5.1. Major Security has set up a Web page to demonstrate this exploit, so users can test the vulnerability themselves.
Once a user clicks the demo button on the test page, Apple's mobile browser will open a new window, displaying http://www.apple.com in the address bar. While it all seems legitimate, that URL is in fact displayed through an iframe, hosted by Major Security's servers.
By displaying a seemingly legitimate URL and throwing in some convincing images, a malicious site can easily trick users into believing they are visiting a legitimate Web site, such as Apple's online store.
Expect a Patch Soon, Beware in the Meantime
Major Security has informed Apple of the vulnerability, therefore it will only be a matter of time before a patch is released to address the issue. For now, however, iOS 5.1 users are advised to take extreme caution when entering sensitive information such as their Social Security number, their account information or other personal information. Major Security recommends that users upgrade to the new version of iOS when a patch becomes available.
(reported by Alexandra Burlacu, edited by Surojit Chatterjee)