Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Address Bar Security Issue Found in iOS 5.1 Safari

MacRumors

macrumors bot
Original poster
Apr 12, 2001
51,589
13,220



A security firm has discovered a security issue in the iOS 5.1 version of MobileSafari, the most recent version of the operating system that runs on millions of Apple mobile devices. The behavior was discovered and detailed by David Vieira-Kurz of MajorSecurity.net.
The weakness is caused due to an error within the handling of URLs when using javascript's window.open() method. This can be exploited to potentially trick users into supplying sensitive information to a malicious web site, because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they're visiting another web site than the displayed web site.



To test it out, visit this demo page on an iPhone, iPod Touch or iPad running iOS 5.1. Click the 'Demo' button and MobileSafari will open a new window displaying "www.apple.com" in the address bar, though it's actually loading a page from MajorSecurity.net.

The security firm does note that Apple was informed of the vulnerability three weeks ago, and it is only being made public today. Apple acknowledged the bug and should be pushing a fix soon.

Article Link: Address Bar Security Issue Found in iOS 5.1 Safari
 

Porco

macrumors 68040
Mar 28, 2005
3,152
6,123
Settings> Safari> Javascript > Off

is my default position.
 
Comment

Small White Car

macrumors G4
Aug 29, 2006
10,929
1,239
Washington DC
That's a pretty good trick.

I mean, usually these things are like "if you download pirated software AND give it your password AND..."

But this one's pretty good. That, like, just worked.
 
Comment

DaveN

macrumors 6502a
May 1, 2010
670
345
It worries me

I tried the site and it is convincing. I hope to see a quick fix fromApple.
 
Comment

Snapperjw

macrumors regular
Oct 8, 2007
212
86
Steve Won't Be Happy

Apple are getting a little slack:

1. Hot iPads
2. Wifi Issues On New iPad
3. Safari On Retina Ipad's not actually pulling the fullres wallpaper / images
4. Security issues within 5.1

Apple. You have a B- you can and should be doing a lot better than this!!
 
Comment

Ashyukun

macrumors 6502
Jul 19, 2008
262
1
Not just 5.1....

I just tried it out on my 4S running 5.0.1 (jailbroken), and it works on it as well...
 
Comment

mattburley7

macrumors 68040
Oct 13, 2011
3,367
677
Apple are getting a little slack:

1. Hot iPads
2. Wifi Issues On New iPad
3. Safari On Retina Ipad's not actually pulling the fullres wallpaper / images
4. Security issues within 5.1

Apple. You have a B- you can and should be doing a lot better than this!!

2, 3, and 4 can be fixed with a software update which I think apple will do with iOS 5.1.1 or 5.1.2
 
Comment

soco

Contributor
Dec 14, 2009
2,837
116
Yardley, PA
Apple are getting a little slack:

1. Hot iPads
2. Wifi Issues On New iPad
3. Safari On Retina Ipad's not actually pulling the fullres wallpaper / images
4. Security issues within 5.1

Apple. You have a B- you can and should be doing a lot better than this!!
Sorry to break it to you, and I loved the man, but he passed away back in October. It's Tim & Co.'s company now and they, despite misinformation to the contrary, are having just as many (read: few) real issues as they did when Steve was around.
 
Comment

nagromme

macrumors G5
May 2, 2002
12,546
1,196
I’m paranoid enough that when I go to a site to log into something important, I go there from my OWN bookmark. I never just follow a link from someplace. Definitely needs to be fixed though!

But three weeks? Really? Is it a sure thing that a fix can be tested and deployed in three weeks without causing other problems, all in parallel with existing changes also being made to the same code for whatever updates were already in the works? That kind of turnaround is a pleasant surprise when it happens, not a given.

Just give the vendors time to fix the thing BEFORE you tell the world how to exploit it! Otherwise, you’re seeking attention (even profit) and harming all our security. Good catch, but your handling of it is poor security practice.
 
Comment

madrag

macrumors 6502
Nov 2, 2007
361
72
Safari 4.0.3 also gets "spoofed"!

That's a nice "trick" and scary also...
 
Comment

Snapperjw

macrumors regular
Oct 8, 2007
212
86
Sorry to break it to you, and I loved the man, but he passed away back in October. It's Tim & Co.'s company now and they, despite misinformation to the contrary, are having just as many (read: few) real issues as they did when Steve was around.

It's all a conspiracy, Steve is happy and living in Sandpoint, Idaho!! He runs a recruitment agency called 'Jobs Jobs Jobs' :)
 
Comment

nagromme

macrumors G5
May 2, 2002
12,546
1,196
Apple are getting a little slack:

1. Hot iPads
2. Wifi Issues On New iPad
3. Safari On Retina Ipad's not actually pulling the fullres wallpaper / images
4. Security issues within 5.1

Apple. You have a B- you can and should be doing a lot better than this!!

In other words, small bugs, nothing unusual at all in something shipped by the millions; and simple physics. What are the products you’re comparing to that have the sheer pixel-pushing horsepower and battery life of the new iPad, without generating heat from the electronics during 3D rendering? And define “hot.”

It’s good to keep a list of troll talking points, though, for historical purposes.
 
Comment

doboy

macrumors 68030
Jul 6, 2007
2,905
1,510
Public Announcement:

ALWAYS enter the URL manually or use your own bookmark for ANYTHING remotely important. This also means DO NOT click on the links in your email from financial institutions, PayPal, etc.
 
Last edited:
Comment

Lordskelic

macrumors regular
Nov 3, 2010
115
0
Texas
Apple! Y U NO WORK? No seriously, what's with all of these Apple problems being reported on lately?
 
Comment

bawbac

macrumors 65816
Mar 2, 2012
1,232
48
Seattle, WA
In other words, small bugs, nothing unusual at all in something shipped by the millions; and simple physics. What are the products you’re comparing to that have the sheer pixel-pushing horsepower and battery life of the new iPad, without generating heat from the electronics during 3D rendering? And define “hot.”

It’s good to keep a list of troll talking points, though, for historical purposes.

Handing over your personal info is a small bug? :confused:
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.