Mobile Safari on iPhone and iPad is vulnerable to an address bar spoofing, according to a security alert from David Vieira-Kurz of MajorSecurity. The vulnerability allows malicious sites to display a false URL in the address bar of their iOS device, which could be used to trick users into entering login credentials or other sensitive information on a webpage thinking it was a legitimate site.
The researcher said that a proof of concept attack has been tested on an iPhone4, iPhone4S, iPad2 and iPad3 running iOS 5.1, and that Apple has been notified of the exploit.
MajorSecurity is currently hosting that proof of concept on its own website. We’ve done it for you, however, so you can see the effects of the exploit without having to expose yourself to it.
Hitting the page shows you a reproduction of Apple’s home page, along with a button to start the demo, as shown in the image below.
MajorSecurity Proof of Concept Demo of the Exploit
Clicking on the “Demo” button above takes you to the same page, but now the address bar insists you are at apple.com. The text just below that was added by MajorSecurity to make it clear you are actually still on its website.
Address Bar Proof of Concept in Action
“The weakness is caused due to an error within the handling of URLs when using javascript’s window.open() method,” the research alert said.
There is no work around for the exploit other than to only open trusted links on your iOS device. MajorSecurity recommended that users update to the newest version of Safari as soon as Apple updates it, advice that we will echo.
Apple has not yet acknowledged the issue or announced a patch for the exploit. The company typically waits until it is ready to release a patch before commenting on a particular issue.
Thanks to TUAW for the heads up on the alert.