Scammers can hide fake URLs on the iPhone, says researcher
iOS lets Web apps conceal URL in Safari, allowing identity thieves to dupe users, expert argues
Computerworld - Identity thieves can hide URLs on the iPhone's limited screen real estate, tricking users into thinking they're at a legitimate site, a security researcher said today.
In a pair of blog posts, Nitesh Dhanjani demonstrated how criminals can easily hide the true URL of a site from users by building a malicious Web application.
In a proof-of-concept, Dhanjani showed how legitimate Web applications such as Bank of America's mobile banking application hide Safari's address bar after rendering the page. He speculated that developers use this practice to use as much as possible of the limited screen real estate on mobile devices like the iPhone.
"Note that on the iPhone, this only happens for sites that follow directives in HTML to advertise themselves as mobile sites," said Dhanjani on his personal blog and in an entry on the SANS Institute's blog.
Identity thieves and scammers could apply the same practice to conceal the actual URL of a fake site they've created and then duped users into visiting, Dhanjani said.
The ability to hide the address bar in iOS, Apple's mobile operating system that powers the iPhone, is by design, noted Dhanjani, who said he had reported the problem to Apple.
"I did contact Apple about this issue and they let me know they are aware of the implications but do not know when and how they will address the issue," said Dhanjani.
He suggested that Apple modify iOS to prevent Web applications from hiding the URL.
"Given how rampant phishing and malware attempts are these days, I hope Apple chooses to not allow arbitrary Web applications to scroll the real Safari address bar out of view," he said. "Perhaps Apple may consider displaying or scrolling the current domain name right below the universal status bar, i.e. below the carrier and time stamp. Positioning the current domain context in a location that is unalterable by the rendered Web content can provide the users similar indication that browsers such as IE and Chrome provide by highlighting the current domain being rendered."
Dhanjani is probably best known as the security researcher who uncovered an Apple Safari vulnerability in 2008 that could be exploited with "carpet bomb" attacks, a term he used because the attacks littered the Windows desktop with malware files.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Apple grows Mac sales by 18% on the back of the MacBook Air
- What to listen for during Apple's earnings call today
- Timeline: How Apple's iOS gained enterprise cred
- Apple and IBM: A winning combo for IT
- IBM and Apple ties go way back
- Apple quickly counters China claim of iPhone spying
- China calls the iPhone and iOS 7 threats to national security
- Apple's CarPlay to dominate infotainment systems, will be in 24M cars by 2019
- Dev interest in OS X Yosemite is 4X what it was for Mavericks in '13
- Apple yanks Google Maps from iCloud's 'Find My iPhone'
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Ten Factors Shaping the Future of Application Delivery Download this research report conducted by Enterprise Management Associates (EMA) to learn how those that are seeking to accelerate application delivery are leveraging...
- Software Asset Management: Ensuring Today's Assets Today's trends like BYOD and SaaS are new and exciting in terms of how they will help make our jobs more productive but...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success!
- Transform Your IT Service Management Watch this webinar, to learn how EasyVista can increase IT productivity & efficiency and deliver streamlined & integrated IT Service & Asset Mgmt. All Malware and Vulnerabilities White Papers | Webcasts