Bug Uncovered In Safari On iOS 5.1 That Can Spoof Your Address Bar

By

Yikes...
Yikes...

Apple’s iOS Safari browser has been the source of many vulnerabilities in the past, and a new discovery reveals a scary bug in the latest version of iOS. When browsing the web on iOS 5.1, there’s the potential that you could run into some address bar spoofing.

What does that mean exactly? Basically, a site URL could be displayed in the address bar that doesn’t actually match the webpage you’re visiting.

David Vieira-Kurz of MajorSecurity.net discovered the bug and posted a rundown:

The weakness is caused due to an error within the handling of URLs when using javascript’s window.open() method. This can be exploited to potentially trick users into supplying sensitive information to a malicious web site, because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they’re visiting another web site than the displayed web site.

If you’re curious, the vulnerability can be demoed by following this link on a device running iOS 5.1. Tap the demo button and a fake website will be loaded while the apple.com URL remains in the address bar.

Apple is aware of this bug, so expect an iOS patch to hit any day now. In the meantime, be careful about visiting shady links on a device running iOS 5.1. Such a vulnerability could be exploited to get you to give personal information, such as a login, to a malicious website. We’ll let you know when Apple fixes the problem.

[via The Next Web]