Forgot your password?
typodupeerror
Iphone Security Software Apple

Scammers Can Hide Fake URLs On the iPhone 68

Posted by Soulskill
from the don't-believe-everything-you-see dept.
CWmike writes "Exploiting an Apple interface design, identity thieves can hide URLs on the iPhone's limited screen real estate, tricking users into thinking they're at a legitimate site, a security researcher said on Monday. Nitesh Dhanjani demonstrated how criminals can easily hide the true URL of a site from users by building a malicious Web application. 'Note that on the iPhone, this only happens for sites that follow directives in HTML to advertise themselves as mobile sites,' said Dhanjani on his personal blog and in an entry on the SANS Institute's blog. The ability to hide the address bar in iOS is by design, noted Dhanjani, who said he had reported the problem to Apple. 'I did contact Apple about this issue and they let me know they are aware of the implications but do not know when and how they will address the issue,' he said."
This discussion has been archived. No new comments can be posted.

Scammers Can Hide Fake URLs On the iPhone

Comments Filter:
  • Re:No "Hover" (Score:3, Informative)

    by JesseDegenerate (936699) on Monday November 29, 2010 @07:45PM (#34381834)
    How is that? When i press on a link and hold down, on my iphone, it gives me the full address, the option to copy the link, open the link, or open in a new page. I guess i'm special!
  • by node 3 (115640) on Tuesday November 30, 2010 @12:32AM (#34384416)

    Half the time you can't see the full url on a widescreen monitor. But at least you can always see what domain you are on (barring Unicode homograms), I would like it if there was a popup in the bottom of my phone browser showing just the domain--maybe even with Unicode spoofs highlighted. They could really innovate with that feature. Or they could leave their "shiny" interface the way it is and not worry about people being stupid.

    This isn't about obfuscating the URL, it's about hiding the address bar (on the iPhone, what it does is push the address bar above the screen, kind of like how an anchor tag takes you to a specific spot in a page). Then it puts an image at the top that looks like the address bar and that image can have any URL it wants.

    I'm assuming it's possible to turn on the address bar, right? Because if they actually prevent people from trying to be smart about it, THEN they are being unreasonable.

    At least in the example given, it doesn't turn off the address bar, it just loads the page with it pushed off the page.

    I just tried the test in the story, and it's rather clever, but all you have to do is scroll up to verify the site. I can definitely see how it's going to be something Apple isn't going to have an easy time figuring out how to fix because it's not a technological issue, it's a social engineering issue.

  • Android too (Score:4, Informative)

    by L4t3r4lu5 (1216702) on Tuesday November 30, 2010 @05:57AM (#34386366)
    The stock Android browser hides the address bar, so you need to scroll up slightly to see it. That's all that this attack is relying on. My HTC Desire does it.

    This isn't an Apple problem, this article is an Apple-bashing troll. Kill it.

One man's "magic" is another man's engineering. "Supernatural" is a null word. -- Robert Heinlein

Working...