iOS security exploit lets hackers easily fake URLs

3bs

macrumors 603
Original poster
May 20, 2011
5,425
19
Dublin, Ireland
Another reason to stick to 5.0.1 :p
"You're browsing the Internet on your iPhone or iPad when you're suddenly prompted for some personal information. But you're no dummy: Before you enter it, you check the URL bar to confirm that you really are on a trusted site. When you're sure, you type in the information. Careful as you were, you still may have handed sensitive data to a bad guy.

How is that possible when you're absolutely certain that you're on a trustworthy website? Because right now you can't trust the URL bar on your iOS device's mobile Safari browser, thanks to a security exploit.

The exploit was first discovered by David Vieira-Kurz of MajorSecurity. It affects the mobile Safari browser on iOS 5.1 and has been tested on the iPhone 4, iPhone 4S, second-generation iPad and third-generation iPad. According to Vieira-Kurz, the exploit is possible thanks to an error in how new windows are opened using a javascript method:

This can be exploited to potentially trick users into supplying sensitive information to a malicious website, because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they're visiting another website than the displayed website.

MajorSecurity has created a demonstration of the exploit. You can check it out by following this link on a device which is running iOS 5.1. After pressing the "demo" button on that website, you will see Safari open a new window which displays "http://www.apple.com" in the URL bar, even though the website you're viewing is actually hosted on "http://www.majorsecurity.net."

There's no fix for the issue right now, but it shouldn't take long for Apple to patch the exploit. In the meantime, you should be careful about which links you follow."

http://www.technolog.msnbc.msn.com/technology/technolog/ios-security-exploit-lets-hackers-easily-fake-urls-535643
 

ColKurtz

macrumors newbie
Mar 24, 2012
4
0
1. This exists on 5.0.1 as well
I'm on 5.01 (4s) and just visited the test link in the MSNBC article. I correctly see the Majorsecurity.net URL, not Apple.com that the article implies should be showing.

I don't have a 5.1 device to check, but if those that do indeed see Apple.com then it sounds like this exploit might be 5.1-specific after all?
 

heyyitzmelissa

macrumors 6502
Jan 17, 2012
352
1
I'm on 5.01 (4s) and just visited the test link in the MSNBC article. I correctly see the Majorsecurity.net URL, not Apple.com that the article implies should be showing.

I don't have a 5.1 device to check, but if those that do indeed see Apple.com then it sounds like this exploit might be 5.1-specific after all?
You obviously didn't click on Demo