Forgot your password?
typodupeerror
Iphone Security Software Apple

Scammers Can Hide Fake URLs On the iPhone 68

Posted by Soulskill
from the don't-believe-everything-you-see dept.
CWmike writes "Exploiting an Apple interface design, identity thieves can hide URLs on the iPhone's limited screen real estate, tricking users into thinking they're at a legitimate site, a security researcher said on Monday. Nitesh Dhanjani demonstrated how criminals can easily hide the true URL of a site from users by building a malicious Web application. 'Note that on the iPhone, this only happens for sites that follow directives in HTML to advertise themselves as mobile sites,' said Dhanjani on his personal blog and in an entry on the SANS Institute's blog. The ability to hide the address bar in iOS is by design, noted Dhanjani, who said he had reported the problem to Apple. 'I did contact Apple about this issue and they let me know they are aware of the implications but do not know when and how they will address the issue,' he said."
This discussion has been archived. No new comments can be posted.

Scammers Can Hide Fake URLs On the iPhone

Comments Filter:
  • by Aerorae (1941752) on Monday November 29, 2010 @07:11PM (#34381442)
    In other news, Apple tells the world it has the most perfectly designed mobile devices in the world. No in all honesty 90% of web surfers never look at the address anyways. They click a link and expect that it takes them where it says it will. So I wouldn't call this an Apple issue, as they designed their interface with this fact in mind, so much as a consequence of user behavior and a company that is happy to oblige to supporting bad habits.
    • Re: (Score:3, Insightful)

      by wizardforce (1005805)

      There's a difference between allowing for ignorance and catering to it.

  • Why, he's pretending to be another site! The audacity!

    Fake sites, scam sites, trickery and shenanigans abound. Welcome to the intertubes.
    • by andybak (542829)
      You haven't really thought about this issue in any depth, have you? Still. I'm glad you got that impulse to comment on something you don't really care about out of your system.
  • Yeah... (Score:4, Insightful)

    by The MAZZTer (911996) <<megazzt> <at> <gmail.com>> on Monday November 29, 2010 @07:21PM (#34381558) Homepage
    This is why modern browsers ignore such directives. Remember the window.open parameter that allowed you to hide the url bar? Yeah, only IE8 respects that switch now, all modern browsers ignore it and show the bar anyway.
    • Yeah, only IE8 respects that switch now, all modern browsers ignore it and show the bar anyway.

      One of the security options in IE is "Allow websites to open windows without address or status bars" and it is disabled by default.

      • One of the security options in IE is "Allow websites to open windows without address or status bars" and it is disabled by default.

        The fact that this even exists as an option is ... interesting, shall we say.

        Cheers,

        • Yes, choice sucks... There should only be one possible option for all situations, because if it doesn't work for you then it won't work for anyone else.
        • The fact that this even exists as an option is ... interesting, shall we say.

          If you think that is interesting then your mind is going to be blown when you eventually learn of about:config in Firefox. There are options for EVERYTHING there!

          Seriously, I'm not sure why you think it is interesting. Microsoft changed the behaviour of the browser, but kept an option around for people who need or prefer the old ways. By having the option in the security tab, you also have the ability to having different settings in each zone so that Intranet applications can still hide the browser cruft. M

          • I never understood why MS ever thought it would be useful -- for the end user -- to hide the URL bar. The *only* use cases I can think of are devious and unhelpful to the end user.

            And thanks for about:config, but that comes as no news. It also bears mentioning that Firefox doesn't actually have options for "everything" per se -- I cannot find any option to hide the URL bar, for instance, but maybe I'm just not seeing it.

            Cheers,

            • by redJag (662818)
              Perhaps for computers that are shipped as appliances and use a web app to configure them. The company I work for does touchscreen kiosks that run Windows and would probably be interested in turning that ability on. That is a slim use case, for sure, but a valid one :)
              • Wouldn't a separate build be more appropriate in such a case? Much of the functionality in a full-on desktop install of a browser would only eat up valuable space in an appliance environment.

                Then again, this is Microsoft, who seem to think that Windows is great on appliance machines...

                Cheers,

                • Why should they have to maintain a separate build just for the sake of not having a single checkbox in the configuration options? Surely not to save space, because it wouldn't take much code to check a setting before adding the address and status lines.

                  It is not even one of the more esoteric options on offer. Even a novice would be able to work out what it means.

                  • Even a novice would be able to work out what it means.

                    Seriously, you're thinking like a geek. Mind you, I don't mean that in a bad way. But I do mean that someone with your perspective is not someone who would most likely be disadvantaged by someone else hiding the URL bar, as you'd be wary and experienced enough to notice, and wonder what was up.

                    Why should they have to maintain a separate build just for the sake of not having a single checkbox in the configuration options? Surely not to save space, because it wouldn't take much code to check a setting before adding the address and status lines.

                    Redjag suggested that the option might be useful for appliance purposes. My reply about separate builds was precisely for this context -- so far the only useful and non-devious one mentioned for hiding the URL bar

                    • Seriously, you're thinking like a geek. Mind you, I don't mean that in a bad way. But I do mean that someone with your perspective is not someone who would most likely be disadvantaged by someone else hiding the URL bar, as you'd be wary and experienced enough to notice, and wonder what was up.

                      Yes, but by the same reckoning only a geek would go into the advanced options of the security settings in the first place. Considering that the facility is switched off by default, then you are worried about nothing.

                      a separate build that saves space would indeed be very much desired

                      I have used IE in kiosk mode to knock up an info system for customers. At no time was there a need for a cut down build of Internet Explorer. If you are using a system that can run Windows, then you can easily handle the normal browser code being loaded even if it isn't used.

                      Is there any utility for end users of a full-on desktop browser installation for an option to hide the URL bar? I see plenty of utility for others -- megacorps, phishers, and assorted other ne'er-do-wells -- but I can think of no compelling use for regular old end users.

                      I once wrote an HTML [wikipedia.org]

    • by node 3 (115640)

      That's not true. Even Firefox doesn't ignore it. Firefox still shows the URL, but hides the rest of the address bar. Safari hides the address bar, but you can show it with CMD-L. I don't have Chrome handy, so I can't test that.

  • On most browsers/clients/systems - you can "hover" over a hyperlink and see the URL it's going to. Not so with iOS
    • Re: (Score:3, Informative)

      How is that? When i press on a link and hold down, on my iphone, it gives me the full address, the option to copy the link, open the link, or open in a new page. I guess i'm special!
    • Re:No "Hover" (Score:5, Insightful)

      by farnsworth (558449) on Monday November 29, 2010 @07:48PM (#34381858)

      On most browsers/clients/systems - you can "hover" over a hyperlink and see the URL it's going to. Not so with iOS

      If you touch-and-hold a url in mobile safari, you are presented with popup that contains the complete url.

  • I'm just complaining, but I tried to publicize this through slashdot back in october and was ignored. http://twitter.com/mootcycle/status/27965429016/ [twitter.com] I also made the point that mobile browsers don't display enough of the url. accounts.google.com.evil-lemur.com only shows the first bit of the URL. Oh well. I suppose I should have tried harder to get someone to pay attention.
  • by ekhben (628371) on Monday November 29, 2010 @08:01PM (#34381988)

    Web security should never depend on a user recognising a specific pattern of pixels, either by determining whether that vertical bar with some marks at the top and bottom is a "1" or an "l" or by figuring out if the displayed UI element is part of the web page or not.

    And, if your bank's website doesn't use two-factor authentication, disable it now.

  • STUPID all of us.

  • "Given how rampant phishing and malware attempts are these days, I hope Apple chooses to not allow arbitrary Web applications to scroll the real Safari address bar out of view," he said. "Perhaps Apple may consider displaying or scrolling the current domain name right below the universal status bar, i.e. below the carrier and time stamp. Positioning the current domain context in a location that is unalterable by the rendered Web content can provide the users similar indication that browsers such as IE and Chrome provide by highlighting the current domain being rendered."

    Even if the true URL were visible it still wouldn't help much--people would still visit www.bankofamercia.com or www.bankofamerica.evilsite.com or www.bankofamericaonline.net or any one of a million other correct-looking domains.

    "I hope Apple chooses to not allow arbitrary Web applications to scroll the real Safari address bar out of view"

    Yes, let's make everyone's experience worse just to help a small percentage of people who couldn't use the information shown to help themselves anyhow. No, thanks.

  • Exploit variant (Score:3, Interesting)

    by sootman (158191) on Monday November 29, 2010 @09:36PM (#34382956) Homepage Journal

    An even better way to take advantage of this exploit: Once you've got your page that hides the address bar, at the top of the page show a graphic of Safari's address bar with a totally legit URL. You could even make it a form field so people could click into it and type, and if they click 'Go' have it take you to whatever site they asked for. (Or not.)

    • I'm not entirely sure how showing "a graphic of Safari's address bar with a totally legit URL" (which you suggest) is "even better" than showing a graphic of Safari's address bar with a totally legit URL (which is what the article describes)

      • by sootman (158191)

        Ah. I found my problem -- two TFAs to read. :-) It's not specified in the first one.

  • ... that Chrome's protocol-hiding will cause similar problems one of these days. I don't know how, I don't know when, I don't know where -- but I do know that someone's going to use it to cause harm.

  • Feature (Score:3, Insightful)

    by pgn674 (995941) on Tuesday November 30, 2010 @01:05AM (#34384700) Homepage

    I actually consider this a feature, not a bug.

    I use Google Reader a ton in my iPod Touch's Safari mobile browser, and that site does the same thing. It and other site that use this feature don't actually hide the URL bar permanently. Instead, the URL bar always acts like it's part of the top of the web page once the page is fully loaded and rendered (during loading and rendering, the bar displays, no matter what). So if you scroll down the page, the bar scrolls away. Scroll to the top of the page, and the bar scrolls into view.

    With this feature, a site can ask the mobile Safari web browser to artificially simulate a scroll of the height of the bar. This is very nice, as it lets the web page have more assured screen space for its initial view. When you use a site like Google Reader a lot on your iPod Touch, it's nice to have this large initial view.

    Instead of removing this feature, if something is to be done about the risk of a website using a visual trick against a user, I'd rather that a mark of some sort be placed on the status bar at the top, beside the clock, radio strength, battery charge, etc. This way, if a user sees a URL bar and that mark at the same time, then the URL bar he sees is obviously a fake.

  • Android too (Score:4, Informative)

    by L4t3r4lu5 (1216702) on Tuesday November 30, 2010 @05:57AM (#34386366)
    The stock Android browser hides the address bar, so you need to scroll up slightly to see it. That's all that this attack is relying on. My HTC Desire does it.

    This isn't an Apple problem, this article is an Apple-bashing troll. Kill it.
    • by andybak (542829)
      I don't know where you got the impression that this was Apple-bashing. They failed to make the connection with other platforms but in my view the Apple bashing was all in your mind.
      • Re: (Score:3, Insightful)

        by L4t3r4lu5 (1216702)
        They don't fail to make the connection with other platforms, they exclude other platforms totally and focus only one one, specifically. When there are other devices, on the mass market, which behave in exactly the same way, yet the article makes no reference to them whatsoever, the article is certainly biased.

        FWIW, I'm not an Apple fan. At all. I just don't believe in spreading FUD, no matter the target. This is a feature to maximise screen space when browsing, which can be abused by imitating the URL bar
  • You mean there isn't an App for that?

The one day you'd sell your soul for something, souls are a glut.

Working...