Scammers can hide fake URLs on the iPhone, says researcher

iOS lets Web apps conceal URL in Safari, allowing identity thieves to dupe users, expert argues

Identity thieves can hide URLs on the iPhone's limited screen real estate, tricking users into thinking they're at a legitimate site, a security researcher said today.

In a pair of blog posts, Nitesh Dhanjani demonstrated how criminals can easily hide the true URL of a site from users by building a malicious Web application.

In a proof-of-concept, Dhanjani showed how legitimate Web applications such as Bank of America's mobile banking application hide Safari's address bar after rendering the page. He speculated that developers use this practice to use as much as possible of the limited screen real estate on mobile devices like the iPhone.

"Note that on the iPhone, this only happens for sites that follow directives in HTML to advertise themselves as mobile sites," said Dhanjani on his personal blog and in an entry on the SANS Institute's blog.

Identity thieves and scammers could apply the same practice to conceal the actual URL of a fake site they've created and then duped users into visiting, Dhanjani said.

The ability to hide the address bar in iOS, Apple's mobile operating system that powers the iPhone, is by design, noted Dhanjani, who said he had reported the problem to Apple.

"I did contact Apple about this issue and they let me know they are aware of the implications but do not know when and how they will address the issue," said Dhanjani.

He suggested that Apple modify iOS to prevent Web applications from hiding the URL.

"Given how rampant phishing and malware attempts are these days, I hope Apple chooses to not allow arbitrary Web applications to scroll the real Safari address bar out of view," he said. "Perhaps Apple may consider displaying or scrolling the current domain name right below the universal status bar, i.e. below the carrier and time stamp. Positioning the current domain context in a location that is unalterable by the rendered Web content can provide the users similar indication that browsers such as IE and Chrome provide by highlighting the current domain being rendered."

Dhanjani is probably best known as the security researcher who uncovered an Apple Safari vulnerability in 2008 that could be exploited with "carpet bomb" attacks, a term he used because the attacks littered the Windows desktop with malware files.

Although Apple initially told Dhanjani that it didn't consider the problem a security issue, it later issued a patch after others, including Microsoft, told users to stop running Safari.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is

Copyright © 2010 IDG Communications, Inc.

Shop Tech Products at Amazon