A security researcher has discovered that it's possible to show the URL of one site while loading another in Mobile Safari, which could trick users into visiting a malicious website. The vulnerability has been reported to Apple, but until the company issues a patch for iOS, users should be extra cautious when clicking unknown links.
According to David Vieira-Kurz from infosec firm MajorSecurity, Mobile Safari under iOS 5.0, 5.0.1, and the current 5.1 has a vulnerability in the way it handles JavaScript's window.open() function.
"This can be exploited to potentially trick users into supplying sensitive information to a malicious web site," Vieira-Kurz explained, "because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they're visiting another web site than the displayed web site."
Vieira-Kurz developed a proof of concept that causes a new window or tab to open when clicking a specially crafted link. That new window looks as though it is loading Apple's website at apple.com, but it actually loads in an iframe within a page on MajorSecurity's website. The proof of concept doesn't do anything malicious, but the same technique could be used to scrape your AppleID, for instance, or possibly even grab credit card info if you buy something from the Apple Store.
MajorSecurity says that users should upgrade to a newer version of iOS as soon as Apple has a patch ready. Until then there's no 100 percent guaranteed method to ensure safety other than steering clear of any unfamiliar sites.
reader comments
20