November 28, 2014

Address Bar Spoofing Vulnerability in Safari in iOS

(LiveHacking.Com) – David Vieira-Kurz of MajorSecurity has discovered an address bar spoofing vulnerability in the Safari web browser used in iOS. The vulnerability, which is actually in WebKit – the rendering engine used on mobile Safari, allows an attacker to manipulate the address bar in the browser and take the user to a malicious site with a fake (but genuine looking) URL showing.

The vulnerability is caused due to an error in the handling of URLs when using javascript’s window.open() method. This can be exploited to trick users into supplying sensitive information to a malicious web site, because the address bar shows the URL of a genuine and trusted site.

Proof of concept
David has created a special web page which demonstrates the vulnerability at http://majorsecurity.net/html5/ios51-demo.html

  1. Visit the POC site with an Apple iOS device
  2. Click the “demo” button
  3. Safari will open a new window with “http://www.apple.com” in the address bar, but in fact the Apple web site is being displayed inside an iframe and the actual site is http://www.majorsecurity.net
  4. Safari’s address bar is showing “http://www.apple.com” which makes the user believe they are currently visiting Apple.com but in fact they are on another website.

The advisory says the vulnerability is present in iOS 5.0 and iOS 5.1 and that Apple have been informed. Our internal testing here at LiveHacking.com has shown that the vulnerability also exists in iOS 4.3.1 which could mean that all iOS 4 and iOS 5 devices are vulnerable.


Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks