iPhone URL Display Feature Poses Security Threat

The system the iPhone, iPad and iPod touch use to display Web sites within apps offers hackers an easy way to trick users into visiting malicious Web pages posing as legit sites, according to security research specialist Nitesh Dhanjani. The spoof involves Apple’s UIWebView API and iOS’s ability to hide the URL field once a page loads.

The potential security flaw works by hiding the URL field for a Web page so users don’t notice that they aren’t on the Web site they intended. In situations where users should see the URL field, hackers can simply create their own showing the address their victim expects to see.

Mr. Dhanjani has detailed the flaw on his own blog as well as the SANS SSI Web site.

Mr. Dhanjani has passed the information on to Apple. “I did contact Apple about this issue and they let me know they are aware of the implications but do not know when and how they will address the issue,” he said.