iPhone URL display poses potential security threat
Security research specialist Nitesh Dhanjani has demonstrated how mobile Safari's ability to hide a web page's URL can be used to trick users. Specifically, his proof-of-concept site shows a "fake" URL filed once the real one has been hidden, preventing users from realizing that they're not looking at the site they intended to see.
Dhanjani goes on to note that in situations where a URL filed should be visible, a hacker could simply present the fake one, tricking most users. He offers more detail on his blog and says that he's been in communication with Apple about the issue. You can check out a brief video of how the trick works after the break.
[Via MacObserver]
Share
Security research specialist Nitesh Dhanjani has demonstrated how mobile Safari's ability to hide a web page's URL can be used to trick...
Add a Comment
Filed? Isn't that supposed to mean "field"? It spelled wrong twice!
November 30 2010 at 3:06 PM Report abuse Permalink rate up rate down ReplyLike the "Fraud Warning" option which says, "Warn when visiting fraudulent websites." in under the iPhone's Safari settings, you mean? ;)
Except it doesn't do anything. I've tried to find a way to get it to activate by going to known spam/scam sites to no avail.
November 30 2010 at 5:54 PM Report abuse Permalink rate up rate down ReplyWow, really smart. I think Apple's likely fix is to build in the same sort of phishing protection they have in the desktop version of Safari: "Warn when visiting fraudulent sites"
November 30 2010 at 1:39 PM Report abuse Permalink rate up rate down ReplyThus isn't a hack or exploit. Do we really protect every moron who falls for these kinds of 'hacks'?
Sjeez. Non issue.
Clever hack, but most users don't really understand URLs and ignore them. Forcing them to always see it doesn't seem like it'd really help prevent these sorts of scams.
November 30 2010 at 1:25 PM Report abuse Permalink rate up rate down ReplyI disagree, this particular malice seems especially effective because of mSafari's system default. It's as tricky as those early spywares that masqueraded Window's "error occurred" messages. It will fool a lot of casual users.
December 01 2010 at 2:53 PM Report abuse Permalink rate up rate down ReplyZero Cool just hacked the Gibson.
November 30 2010 at 1:18 PM Report abuse Permalink rate up rate down ReplyDeals of the Day
more deals- Apple iPod nano Multi-Touch 8GB MP3 Player for $100 + $8 s&h
- Cases for New iPad at HandHeldItems: Extra 20% off, $2 credit, from $3 + $3 s&h
- $15 Apple iTunes Gift Card for $8 for new Saveology customers
- Retro 80's Case for iPhone for $11 + $2 s&h
- HHI 360 Dual-View Stand Case for new iPad w/ $2 credit for $12 + $3 s&h
- HHI ReElegant Smart Cover Companion Case for new iPad from $5 + $3 s&h
8 Comments