or Connect
AppleInsider › Forums › Mobile › iPhone › Safari vulnerability in iOS 5.1 allows URL spoofing
New Posts  All Forums:Forum Nav:

Safari vulnerability in iOS 5.1 allows URL spoofing

post #1 of 15
Thread Starter 
A newly-discovered mobile Safari web browser vulnerability allows a malicious website to display a URL that is different than the website's actual address, and can trick users into handing over sensitive personal information.

The issue, first discovered by security firm Major Security, is an error in how Apple's mobile Safari app in iOS 5.1 handles URLs when using javascript's window.open() method that can be exploited by malicious sites to display custom URLs.

"This can be exploited to potentially trick users into supplying sensitive information to a malicious web site," Major Security explains, "because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they're visiting another web site than the displayed web site."

The exploit was tested on an iPhone 4, iPhone 4S, iPad 2 and third-generation iPad running iOS 5.1, and it seems that any iDevice running Apple's latest mobile OS is affected by the vulnerability. Users can test the vulnerability themselves by visiting this webiste from a mobile device. After a user clicks the "demo" button on the test page, Safari will open a new window which shows "http://www.apple.com" in the address bar, but that URL is in fact being displayed through an iframe being hosted by Major Security's servers.

By spoofing a URL and adding some convincing images to a malicious site, users can easily be tricked into thinking they are visiting a legitimate website such as Apple's online store.


"Apple" iPad webpage through Major Security servers (left) compared to official Apple site (right).


The vulnerability was originally found in iOS 5.0 and reproduced on iOS 5.1 earlier in March. Apple was made aware of the issue on March 1 and posted an advisory regarding the matter on March 20. A patch has yet to be pushed out, though the iPhone maker is expected to do so in the near future.

[ View article on AppleInsider ]
post #2 of 15
Now Apple will patent this and attempt to sue Samsung.
post #3 of 15
Their demo page doesn't work as stated on my copy of Safari (5.1.3), OS X 10.7.3.

-kpluck

Do you use MagicJack?

The default settings will automatically charge your credit card each year for service renewal. You will not be notified or warned in anyway. You can turn auto renewal off.

Reply

Do you use MagicJack?

The default settings will automatically charge your credit card each year for service renewal. You will not be notified or warned in anyway. You can turn auto renewal off.

Reply
post #4 of 15
Quote:
Originally Posted by fredaroony View Post

Now Apple will patent this and attempt to sue Samsung.

I think you have that backwards. Samsung will sue Apple after they fix it because once fixed the behavior will replicate the browser already found on Samsung devices which has a patent for being unspoofable.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #5 of 15
Quote:
Originally Posted by kpluck View Post

Their demo page doesn't work as stated on my copy of Safari (5.1.3), OS X 10.7.3.

-kpluck

Mobile Safari not OS X

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #6 of 15
These types of exploits never seem to get used in phishing scams but it's bad form nonetheless. If this isn't resolved in 5.1.x I'll be surprised.


edit: Pipped my mstone.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #7 of 15
Quote:
Originally Posted by SolipsismX View Post

These types of exploits never seem to get used in phishing scams but it's bad form nonetheless.

this type of exploit has never been possible as far as I know. It is very serious.

You don't have to be a security expert to recognize a fake url:

Welcome to bankofamerika. com which is how spoofing looked prior to this.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #8 of 15
So where does the spoof Apple Store site get your Apple ID account details from, in particular the credit card or voucher details used to make a transaction?

Poor example.

btw, here's a cut & paste from my iPhone 4 address bar:-

http://majorsecurity.net/html5/ios51-demo.html
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #9 of 15
Quote:
Originally Posted by hill60 View Post

So where does the spoof Apple Store site get your Apple ID account details from, in particular the credit card or voucher details used to make a transaction?

Poor example.

It is just a feasibility study. A real spoof would start out by saying you need to update your profile when you land on their fake page. Please update your credit card information on the next. Then your mother's maiden name, etc.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #10 of 15
You'd think this would have been possible forever ago, not just in one OS and one software version.

Shame the site's down, but

If you can actively change what is displayed up there without the page reloading, you can spoof anything, really.

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply
post #11 of 15
Quote:
Originally Posted by mstone View Post

It is just a feasibility study. A real spoof would start out by saying you need to update your profile when you land on their fake page. Please update your credit card information on the next. Then your mother's maiden name, etc.

One that doesn't work, apparently.

(see my updated post)
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #12 of 15
I could have sworn it has always been possible for any site to display whatever URL it wanted to - or at the very least to be able to use an alias or some other method of showing a shortened URL for example to hide the flu complexity of your site's structure from the user.
post #13 of 15
Quote:
Originally Posted by fredaroony View Post

Now Apple will patent this and attempt to sue Samsung.

Trying to be funny, try joining the circus,

They have plenty of openings for clowns.
post #14 of 15
Quote:
Originally Posted by kpluck View Post

Their demo page doesn't work as stated on my copy of Safari (5.1.3), OS X 10.7.3.

-kpluck

Main heading says iOS 5.1 safari.
post #15 of 15
Quote:
Originally Posted by AdamC View Post

Trying to be funny, try joining the circus,

They have plenty of openings for clowns.

That hurt so deep you will never know the true pain you have caused !
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
AppleInsider › Forums › Mobile › iPhone › Safari vulnerability in iOS 5.1 allows URL spoofing