Scammers Can Hide Fake URLs On the iPhone 68
CWmike writes "Exploiting an Apple interface design, identity thieves can hide URLs on the iPhone's limited screen real estate, tricking users into thinking they're at a legitimate site, a security researcher said on Monday. Nitesh Dhanjani demonstrated how criminals can easily hide the true URL of a site from users by building a malicious Web application. 'Note that on the iPhone, this only happens for sites that follow directives in HTML to advertise themselves as mobile sites,' said Dhanjani on his personal blog and in an entry on the SANS Institute's blog. The ability to hide the address bar in iOS is by design, noted Dhanjani, who said he had reported the problem to Apple. 'I did contact Apple about this issue and they let me know they are aware of the implications but do not know when and how they will address the issue,' he said."
Re:And now for something completely different: (Score:3, Interesting)
Half the time you can't see the full url on a widescreen monitor. But at least you can always see what domain you are on (barring Unicode homograms), I would like it if there was a popup in the bottom of my phone browser showing just the domain--maybe even with Unicode spoofs highlighted. They could really innovate with that feature. Or they could leave their "shiny" interface the way it is and not worry about people being stupid.
I'm assuming it's possible to turn on the address bar, right? Because if they actually prevent people from trying to be smart about it, THEN they are being unreasonable.
Exploit variant (Score:3, Interesting)
An even better way to take advantage of this exploit: Once you've got your page that hides the address bar, at the top of the page show a graphic of Safari's address bar with a totally legit URL. You could even make it a form field so people could click into it and type, and if they click 'Go' have it take you to whatever site they asked for. (Or not.)