Bug Uncovered In Safari On iOS 5.1 That Can Spoof Your Address Bar

Bug Uncovered In Safari On iOS 5.1 That Can Spoof Your Address Bar

Yikes...

Apple’s iOS Safari browser has been the source of many vulnerabilities in the past, and a new discovery reveals a scary bug in the latest version of iOS. When browsing the web on iOS 5.1, there’s the potential that you could run into some address bar spoofing.

What does that mean exactly? Basically, a site URL could be displayed in the address bar that doesn’t actually match the webpage you’re visiting.

David Vieira-Kurz of MajorSecurity.net discovered the bug and posted a rundown:

The weakness is caused due to an error within the handling of URLs when using javascript’s window.open() method. This can be exploited to potentially trick users into supplying sensitive information to a malicious web site, because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they’re visiting another web site than the displayed web site.

If you’re curious, the vulnerability can be demoed by following this link on a device running iOS 5.1. Tap the demo button and a fake website will be loaded while the apple.com URL remains in the address bar.

Apple is aware of this bug, so expect an iOS patch to hit any day now. In the meantime, be careful about visiting shady links on a device running iOS 5.1. Such a vulnerability could be exploited to get you to give personal information, such as a login, to a malicious website. We’ll let you know when Apple fixes the problem.

[via The Next Web]

  • Arron Hunt

    Scary stuff. I set up another example at http://arronhunt.com/facebook/ this bug is EXTREMELY easy to use. 

    (link is safe, simply shows a popup and doesn’t ask for credentials). 

  • Al

    WOW. It’s so simple to do! Open a new window using javascript, as normal, containing the real apple.com or whatever, and assign it to a variable name such as “myWindow”. Then simply use myWindow.document.write = “blah blah” to replace or add to it’s contents with your own, but the URL will remain the same!

    So easy!

    A thousand practical jokes coming up in 3, 2, 1 …

  • Bguss

    Glad I’m still on 5.0. Lol

About the author

Alex HeathAlex Heath is a staff writer at Cult of Mac and co-host of the CultCast. He has been quoted by the likes of the BBC, KRON 4 News, and books like "ICONIC: A Photographic Tribute to Apple Innovation." If you want to pitch a story, share a tip, or just get in touch, additional contact information is available on his personal site. Twitter always works too.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News | Tagged: , , , , , |