Apple iPhone and iPad users surfing the Web with Safari could easily and with almost no warning end up on spoofed websites controlled by identity thieves, according to a proof-of-concept hack demonstrated by the German company MajorSecurity.
The security glitch exploits a JavaScript error in the way JavaScript's window-opening method handles URLs, and, as David Vieira-Kurz of MajorSecurity wrote in a blog post, "This can be exploited to potentially trick users into supplying sensitive information to a malicious Web site."
Vieira-Kurz said an attacker could theoretically encode the information in the address bar "in a certain way, which may lead users to believe that they're visiting another Web site than the displayed Web site."
MajorSecurity demonstrated the proof-of-concept exploit; on a device running iOS 5.1, the researchers tricked the URL bar into displaying www.apple.com, when in fact the website was actually hosted by www.majorsecurity.net.
The flaw affects the mobile Safari browser on iOS 5.1, the most up-to-date version of Apple's smartphone and tablet software, and the previous version, iOS 5.0.1, and has been tested on the iPhone 4, iPhone 4S and both the new iPad and the iPad 2.
Apple did not immediately respond to a request for comment.
SecurityNewsDaily tested out the proof-of-concept exploit, and discovered that the spoofed website appears in a very small window on all browsers except iOS Safari. In Safari, the spoofed site takes up the entire screen, preventing victims from knowing they are navigating to a phony, and potentially malicious, site.
