Scammers can hide fake URLs on the iPhone, says researcher
iOS lets Web apps conceal URL in Safari, allowing identity thieves to dupe users, expert argues
Computerworld - Identity thieves can hide URLs on the iPhone's limited screen real estate, tricking users into thinking they're at a legitimate site, a security researcher said today.
In a pair of blog posts, Nitesh Dhanjani demonstrated how criminals can easily hide the true URL of a site from users by building a malicious Web application.
In a proof-of-concept, Dhanjani showed how legitimate Web applications such as Bank of America's mobile banking application hide Safari's address bar after rendering the page. He speculated that developers use this practice to use as much as possible of the limited screen real estate on mobile devices like the iPhone.
"Note that on the iPhone, this only happens for sites that follow directives in HTML to advertise themselves as mobile sites," said Dhanjani on his personal blog and in an entry on the SANS Institute's blog.
Identity thieves and scammers could apply the same practice to conceal the actual URL of a fake site they've created and then duped users into visiting, Dhanjani said.
The ability to hide the address bar in iOS, Apple's mobile operating system that powers the iPhone, is by design, noted Dhanjani, who said he had reported the problem to Apple.
"I did contact Apple about this issue and they let me know they are aware of the implications but do not know when and how they will address the issue," said Dhanjani.
He suggested that Apple modify iOS to prevent Web applications from hiding the URL.
"Given how rampant phishing and malware attempts are these days, I hope Apple chooses to not allow arbitrary Web applications to scroll the real Safari address bar out of view," he said. "Perhaps Apple may consider displaying or scrolling the current domain name right below the universal status bar, i.e. below the carrier and time stamp. Positioning the current domain context in a location that is unalterable by the rendered Web content can provide the users similar indication that browsers such as IE and Chrome provide by highlighting the current domain being rendered."
Dhanjani is probably best known as the security researcher who uncovered an Apple Safari vulnerability in 2008 that could be exploited with "carpet bomb" attacks, a term he used because the attacks littered the Windows desktop with malware files.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
- Apple has bigger plans than just song ID with Shazam deal
- Automakers show off in-vehicle Wi-Fi, new smartphone interfaces
- First-to-market means diddly when it comes to smartwatches
- Apple slates WWDC for June 2-6, sets up ticket lottery
- Nadella to Cook on Office revenue sharing: Drop dead
- Microsoft scraps 'Windows-first' practice, puts Office on iPad before Surface
- iOS tops Android for Web browsing in U.S. and other developed nations
- Microsoft's free OneNote vaults to top of Mac App Store chart
- Apple discounts iPhone 5C 8%-9% in five markets via storage cuts
- Microsoft's OneNote strategy: Battle Evernote, or something bigger?
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Malware and Vulnerabilities White Papers | Webcasts