Spoofing Flaw Discovered In Safari Mobile Browser
March 24, 2012

Spoofing Flaw Discovered In Safari Mobile Browser

Computer security experts have discovered a new vulnerability in Apple's mobile Safari web browser that can make it look like a user is visiting one website when, in actuality, they are looking at a page located elsewhere.

According to Andrew Webster of The Verge, the security flaw is present in Safari for iOS 5.1 and was discovered earlier this month by members of the Germany security firm MajorSecurity. The vulnerability "makes it possible to put a spoof URL in the address bar to trick users into visiting a potentially dangerous site," he added.

"The weakness is caused due to an error within the handling of URLs when using javascript's window.open() method," MajorSecurity's David Vieira-Kurz told CNET reporter Lance Whitney on Friday.

"This can be exploited to potentially trick users into supplying sensitive information to a malicious Web site, because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they're visiting another web site than the displayed web site," he added.

The flaw has been tested on the iPhone 4, iPhone 4S, second-generation iPad and third-generation iPad, according to MSNBC.com technology blogger Rosa Golijan, and in order to demonstrate the vulnerability, MajorSecurity created a link that users can click on to a site which appears to belong to Apple, displays "http://www.apple.com" in the address bar, but is actually hosted on the security firm's own website.

Whitney reports that the error was first discovered in iOS 5.0, and Webster said that he and his colleagues were able to reproduce it using Safari running on iOS 5.0.1. Webster also said that Apple was reportedly aware of the error and that he expected a fix or a patch to be released "soon" -- likely "in its next iOS update," Whitney claims.

"That's not the only problem with the iOS version of Safari, though," Webster added, pointing out that reports have surfaced claiming that, despite the new iPad's higher resolution display," that reports have surfaced which allegedly reveal that the web browser "will still downscale images as it does with older devices. So anytime you view an image larger than 1024-pixels, it will be rescaled in order to keep your browser running smoothly. But this also means that you can't view large-scale images in all their glory on your nice new iPad display."