You're browsing the Internet on your iPhone or iPad when you're suddenly prompted for some personal information. But you're no dummy: Before you enter it, you check the URL bar to confirm that you really are on a trusted site. When you're sure, you type in the information. Careful as you were, you still may have handed sensitive data to a bad guy.
How is that possible when you're absolutely certain that you're on a trustworthy website? Because right now you can't trust the URL bar on your iOS device's mobile Safari browser, thanks to a security exploit.
The exploit was first discovered by David Vieira-Kurz of MajorSecurity. It affects the mobile Safari browser on iOS 5.1 and has been tested on the iPhone 4, iPhone 4S, second-generation iPad and third-generation iPad. According to Vieira-Kurz, the exploit is possible thanks to an error in how new windows are opened using a javascript method:
This can be exploited to potentially trick users into supplying sensitive information to a malicious website, because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they're visiting another website than the displayed website.
MajorSecurity has created a demonstration of the exploit. You can check it out by following this link on a device which is running iOS 5.1. After pressing the "demo" button on that website, you will see Safari open a new window which displays "http://www.apple.com" in the URL bar, even though the website you're viewing is actually hosted on "http://www.majorsecurity.net."
There's no fix for the issue right now, but it shouldn't take long for Apple to patch the exploit. In the meantime, you should be careful about which links you follow.
--
Want more tech news, silly puns, or amusing links? You'll get plenty of all three if you keep up with Rosa Golijan, the writer of this post, by following her on Twitter , subscribing to her Facebook posts , or circling her on Google+ .
