iOS 5.1 Safari Addressbar URL Spoofing Security Problem

Thursday, March 22, 2012
By OP Editor

Vulnerability could be used for phishing on iOS devices.

iOS Safari Browser URL Spoofing

David Vieira-Kurz of MajorSecurity discovered a bug that could allow a malicious site to display a false URL in iOS Safari browser bar.

Seclists:

“The weakness is caused due to an error within the handling of URLs when using javascript’s window.open() method. This can be exploited to potentially trick users into supplying sensitive information to a malicious web site, because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they’re visiting another web site than the displayed web site.”

The bug, discovered on iOS 5 on March 1, was reported to Apple on March 2, and the report noted Apple “responded” next day (probably to acknowledge receiving the issue), but so far no iOS security update addressed it. We can confirm that this can be reproduced on iOS 5.0, 5.0.1, and 5.1. Proof of concept: http://majorsecurity.net/html5/ios51-demo.html

Apple needs to fix this right away. Any jailbreakers working on a fix?

TEMPORARY FIX as noted by ObamaPacman: as a general security advice, only login to web pages if you typed the URL yourself. Do not trust links or buttons from sites or emails that open the browser requesting login information. Malicious sites cannot access your login credentials unless you type it it, so you can safely close browser windows that ask you to login.

The German based MajorSecurity also discovered vulnerabilities in the systems of Adobe, ebay, Facebook, Google, and Microsoft.

Recent security problems on other platforms:

Share

Related Posts

  1. App Store / iOS Code Signing Security Flaw [Video]
  2. Cydia “PDF Loading Warner” Helps Prevent iOS Security Hole Exploit
  3. Apple Security Update Adds Daily Check of Malicious Software + Removes MACDefender Trojan Malware
  4. Windows XP Security Update Causes BSoD and Reboot Hell
  5. Apple Releases Safari Browser 4.0.5 Software Update

Tags: Apple, Fail, iPad, iPhone, iPod touch, Security

Site Search

iPad Air 2 Case

Popular Tags