Security Exploit Allows Address Bar Spoofing In iOS 5.1

David Vieira-Kurz of MajorSecurity.net has discovered a potential exploit in Apple's update iOS 5.1 release. The security issue involves Mobile Safari and is due to "an error within the handling of URLs when using javascript's window.open() method." Essentially, this means that a user can be taken to a fake version of some well-known commercial site while the browser's address bar actually mimics the legitimate site's URL (a phenomenon known as URL spoofing). Said user might then unwittingly hand over sensitive data to some unknown third party. For a secure demonstration, tap this link in Mobile Safari. Of course, for the grift to work, you've got to open some link that's been appropriately rigged. So, while we wait for Apple to fix the exploit, just take TUAW's advice:

[I]t's a good idea to not open untrusted links and to think twice about sending personal information to any website that asks for it through Safari on your iOS device.

Scam or no scam, them's rules to live by.

Related articles