• Home
  • Apple
  • iOS
  • News
  • Address Bar Spoofing Security Bug Found in iOS 5.1, Could Put Your Information at Risk

Address Bar Spoofing Security Bug Found in iOS 5.1, Could Put Your Information at Risk

Address Bar Spoofing Security Bug Found in iOS 5.1, Could Put Your Information at Risk

Apple’s iOS platform is typically thought to be quite secure, although when security issues are found, they’re usually brought to our attention very quickly. David Vieira-Kurz of MajorSecurity recently uncovered a very troubling security issue in Mobile Safari on iOS 5.1 that could put your information at risk:

From MajorSecurity (via TheNextWeb)

Today, a new vulnerability has been brought to our attention that focuses on how the Safari browser on iOS 5.1 renders website addresses, which can be used to display a different URL to that of the actual website you are visiting. […] This could potentially be used to “trick users into supplying sensitive information to a malicious web site.

This could allow fraudulent websites to easily trick you into giving up personal information, such as credit card information or passwords, by allowing them to more easily trick you into thinking you are at a legitimate website.

The bug can easily be demonstrating by viewing this link on any device running iOS 5.1. The link brings you to fake website, but Apple.com appears in the address bar as the site’s URL. Needless to say, it’s a significant issue that Apple needs to address sooner rather than later.

3 thoughts on “Address Bar Spoofing Security Bug Found in iOS 5.1, Could Put Your Information at Risk

  1. This bug is also presento on my iPad 2 3G running iOS 5.0.1!

  2. Jacque Hughes says:

    The issue seems to be safari allows JavaScript to rewrite the title in the head section, but the rest is a common iframe. All browsers (inc. safari) need to stop allowing iframes and webservers can also stop attacks like this by using the x-frame-options extension and in addition disallowing images to be referenced when the referrer isn’t their own domain (this latter one is responsible for many banking websites being so easily phished).

Leave a Reply

Your email address will not be published. Required fields are marked *