iOS security exploit lets hackers easily fake URLs

Discussion in 'Jailbreaks and iOS Hacks' started by 3bs, Mar 23, 2012.

  1. 3bs macrumors 603

    3bs

    Joined:
    May 20, 2011
    Location:
    Dublin, Ireland
    #1
    Another reason to stick to 5.0.1 :p
    "You're browsing the Internet on your iPhone or iPad when you're suddenly prompted for some personal information. But you're no dummy: Before you enter it, you check the URL bar to confirm that you really are on a trusted site. When you're sure, you type in the information. Careful as you were, you still may have handed sensitive data to a bad guy.

    How is that possible when you're absolutely certain that you're on a trustworthy website? Because right now you can't trust the URL bar on your iOS device's mobile Safari browser, thanks to a security exploit.

    The exploit was first discovered by David Vieira-Kurz of MajorSecurity. It affects the mobile Safari browser on iOS 5.1 and has been tested on the iPhone 4, iPhone 4S, second-generation iPad and third-generation iPad. According to Vieira-Kurz, the exploit is possible thanks to an error in how new windows are opened using a javascript method:

    This can be exploited to potentially trick users into supplying sensitive information to a malicious website, because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they're visiting another website than the displayed website.

    MajorSecurity has created a demonstration of the exploit. You can check it out by following this link on a device which is running iOS 5.1. After pressing the "demo" button on that website, you will see Safari open a new window which displays "http://www.apple.com" in the URL bar, even though the website you're viewing is actually hosted on "http://www.majorsecurity.net."

    There's no fix for the issue right now, but it shouldn't take long for Apple to patch the exploit. In the meantime, you should be careful about which links you follow."

    http://www.technolog.msnbc.msn.com/...-exploit-lets-hackers-easily-fake-urls-535643
     
  2. heyyitzmelissa macrumors 6502

    Joined:
    Jan 17, 2012
    #2
    1. This exists on 5.0.1 as well
    2. Old as the invention of religion
     
  3. 3bs thread starter macrumors 603

    3bs

    Joined:
    May 20, 2011
    Location:
    Dublin, Ireland
    #3
    Oh I didn't know that and the article made it sound like it was only on 5.1
     
  4. ColKurtz macrumors newbie

    Joined:
    Mar 24, 2012
    #4
    I'm on 5.01 (4s) and just visited the test link in the MSNBC article. I correctly see the Majorsecurity.net URL, not Apple.com that the article implies should be showing.

    I don't have a 5.1 device to check, but if those that do indeed see Apple.com then it sounds like this exploit might be 5.1-specific after all?
     
  5. heyyitzmelissa macrumors 6502

    Joined:
    Jan 17, 2012
    #5
    You obviously didn't click on Demo
     
  6. ColKurtz macrumors newbie

    Joined:
    Mar 24, 2012
    #6
    Doh! Obviously not. Just saw the ipad graphic, didn't see that button. Yes I see the apple.com when I click that. Sorry.
     

Share This Page