Mobile Safari is Victim to URL Spoofing Exploit in iOS 5.1

A new security issue has been discovered in iOS 5.1 that allows for URL spoofing in Mobile Safari on the iPhone, iPod touch, and iPad. David Vieira-Kurz of Major Security explains the exploit in further detail…

“The weakness is caused due to an error within the handling of URLs when using javascript’s window.open() method. This can be exploited to potentially trick users into supplying sensitive information to a malicious website, because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they’re visiting another website that the displayed web site.”

If you have your iOS device on hand, Viera-Kurz has created a demonstration of this exploit that can be accessed directly from Mobile Safari by clicking here. Despite being sent to the Major Security website, the address bar will be spoofed to display as “www.apple.com.” This security issue can easily be taken advantage of by phishing sites and other scammers, so this exploit has the potential to be a serious threat for Mobile Safari users. Fortunately, Apple is reportedly aware of the issue and will be addressing it in a future software update.

[The Next Web via iDownloadBlog]

Post a response / What do you think?