Be careful of using any app’s browser except Safari until Apple fixes this iOS security hole

By

Be careful logging into sites like Twitter and Facebook using in-app browsers.
Be careful logging into sites like Twitter and Facebook using in-app browsers.

If you regularly use an iPhone or iPad app that uses a built-in browser, you could be vulnerable to a major vulnerability in iOS that allows unscrupulous app developers to spy on your typing.

The vulnerability was discovered by Craig Hockenberry, one of the developers behind Twitter for iOS, who has taken to his blog to warn iOS users about the security issues inherent in using in-app browsers: namely, that an app can spy on everything that is being entered in its in-app browser.

Hockenberry posted a video and a proof-of-concept app to show the vulnerability in action. As you can see, it can even capture passwords.

https://www.youtube.com/watch?v=2Bl-pJBHYuc

Hockenberry explains the hack:

– The information at the top of the screen is generated by the app, not the web page. This information could easily be uploaded to remote server.

– This is not phishing: the site shown is the actual Twitter website. This technique can be applied to any site that has a input form. All the attacker needs to know can easily be obtained by viewing the public facing HTML on the site.

– The app is stealing your username and password by watching what you type on the site. There’s nothing the site owner can do about this, since the web view has control over JavaScript that runs in the browser.

– The site content is also modified: the text on the button label is normally “Sign in” and has been changed to “SUCK IT UP”. It seemed appropriate.

– This technique works in iOS 7 and 8 (and probably earlier versions, but I didn’t have an easy way to test them).

Basically, until this is fixed, you should think twice about logging into any third-party site through an in-app browser. Instead, you should only log into web sites with Safari, not any sites that use iOS’s in-app browser… which, unfortunately, includes third-party iOS browsers like Chrome.

Source: Furbo

Newsletters

Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.