Safari's Hidden URLs on iPhone Could Let in Malware
Researcher Nitesh Dhanjani demonstrated how a legitimate Safari address bar can be replaced with a fake one on the iPhone.
To maximize space, the iPhone automatically hides the Safari address bar when browsing the web on the iPhone, and though it seems insignificant, it could have serious implications for the phone's millions of devoted users.
On his website, www.dhanjani.com, security researcher Nitesh Dhanjani demonstrated how Safari's web address bar at the same time Safari hides it from the browser -- can be replaced with a fake address bar from an untrustworthy source, such as one that attempts to infect the system with malware.
Non-mobile web browsers aren't faced with such attacks, Dhanjani said, because they don't allow arbitrary sites to hide the address bar.
Dhanjani used Bank of America's mobile site in his demonstration. As soon as the bank's legitimate page loaded and the URL vanished, he implanted his own fake address bar. The real one remained hidden, revealed only when the user scrolled to the top of the screen past the fake one.
He explained that the bank, because it is often a target for phishing attacks, advises customers in the tips for safe online banking on its website to make sure the browser bar is the bank's legitimate site. But in practice, they are leaving themselves open to the attacks they are trying to prevent.
"When you go to Bank of America's (mobile) site using Safari on the iPhone, the very address bar they recommend their customers watch for disappears from sight," Dhanjani said.
Dhanjani said the problem could be fixed if Apple designates a consistent location where URLs can be displayed in applications using iOS, Apple's mobile operating system.