iOS 5.1 Safari Addressbar URL Spoofing Security Problem
Vulnerability could be used for phishing on iOS devices.
David Vieira-Kurz of MajorSecurity discovered a bug that could allow a malicious site to display a false URL in iOS Safari browser bar.
The bug, discovered on iOS 5 on March 1, was reported to Apple on March 2, and the report noted Apple “responded” next day (probably to acknowledge receiving the issue), but so far no iOS security update addressed it. We can confirm that this can be reproduced on iOS 5.0, 5.0.1, and 5.1. Proof of concept: http://majorsecurity.net/html5/ios51-demo.html
Apple needs to fix this right away. Any jailbreakers working on a fix?
TEMPORARY FIX as noted by ObamaPacman: as a general security advice, only login to web pages if you typed the URL yourself. Do not trust links or buttons from sites or emails that open the browser requesting login information. Malicious sites cannot access your login credentials unless you type it it, so you can safely close browser windows that ask you to login.
The German based MajorSecurity also discovered vulnerabilities in the systems of Adobe, ebay, Facebook, Google, and Microsoft.
Recent security problems on other platforms:
- TXT file can gain admin rights on Windows server
- Google Wallet security problem on non-rooted and rooted Android devices
- App Store / iOS Code Signing Security Flaw [Video]
- Cydia “PDF Loading Warner” Helps Prevent iOS Security Hole Exploit
- Apple Security Update Adds Daily Check of Malicious Software + Removes MACDefender Trojan Malware
- Windows XP Security Update Causes BSoD and Reboot Hell
- Apple Releases Safari Browser 4.0.5 Software Update