Scammers Can Hide Fake URLs On the iPhone 68
CWmike writes "Exploiting an Apple interface design, identity thieves can hide URLs on the iPhone's limited screen real estate, tricking users into thinking they're at a legitimate site, a security researcher said on Monday. Nitesh Dhanjani demonstrated how criminals can easily hide the true URL of a site from users by building a malicious Web application. 'Note that on the iPhone, this only happens for sites that follow directives in HTML to advertise themselves as mobile sites,' said Dhanjani on his personal blog and in an entry on the SANS Institute's blog. The ability to hide the address bar in iOS is by design, noted Dhanjani, who said he had reported the problem to Apple. 'I did contact Apple about this issue and they let me know they are aware of the implications but do not know when and how they will address the issue,' he said."
And now for something completely different: (Score:5, Insightful)
Yeah... (Score:4, Insightful)
Re:And now for something completely different: (Score:3, Insightful)
There's a difference between allowing for ignorance and catering to it.
Re:Whose fault is it? (Score:3, Insightful)
Therefore hackers could register wellfargo.com, or wellsfargo.net, or a million variations and harvest usernames and passwords. Clearly URL spoofing did not play a part. Few people look closely at the URL.
How would a lock icon have helped? If the phishers own a similar domain name they can get an SSL certificate and there'll be a nice fancy lock icon showing that the connection is secure... it's just not going to the site you think it's going to.
Re:No "Hover" (Score:5, Insightful)
On most browsers/clients/systems - you can "hover" over a hyperlink and see the URL it's going to. Not so with iOS
If you touch-and-hold a url in mobile safari, you are presented with popup that contains the complete url.
Nasty, but not a "new" problem (Score:3, Insightful)
Web security should never depend on a user recognising a specific pattern of pixels, either by determining whether that vertical bar with some marks at the top and bottom is a "1" or an "l" or by figuring out if the displayed UI element is part of the web page or not.
And, if your bank's website doesn't use two-factor authentication, disable it now.
Feature (Score:3, Insightful)
I actually consider this a feature, not a bug.
I use Google Reader a ton in my iPod Touch's Safari mobile browser, and that site does the same thing. It and other site that use this feature don't actually hide the URL bar permanently. Instead, the URL bar always acts like it's part of the top of the web page once the page is fully loaded and rendered (during loading and rendering, the bar displays, no matter what). So if you scroll down the page, the bar scrolls away. Scroll to the top of the page, and the bar scrolls into view.
With this feature, a site can ask the mobile Safari web browser to artificially simulate a scroll of the height of the bar. This is very nice, as it lets the web page have more assured screen space for its initial view. When you use a site like Google Reader a lot on your iPod Touch, it's nice to have this large initial view.
Instead of removing this feature, if something is to be done about the risk of a website using a visual trick against a user, I'd rather that a mark of some sort be placed on the status bar at the top, beside the clock, radio strength, battery charge, etc. This way, if a user sees a URL bar and that mark at the same time, then the URL bar he sees is obviously a fake.
Re:Android too (Score:3, Insightful)
FWIW, I'm not an Apple fan. At all. I just don't believe in spreading FUD, no matter the target. This is a feature to maximise screen space when browsing, which can be abused by imitating the URL bar with an image at the top of the page. It happens on at least Android and Apple devices. They should both be mentioned.