Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Iphone Security Software Apple

Scammers Can Hide Fake URLs On the iPhone 68

CWmike writes "Exploiting an Apple interface design, identity thieves can hide URLs on the iPhone's limited screen real estate, tricking users into thinking they're at a legitimate site, a security researcher said on Monday. Nitesh Dhanjani demonstrated how criminals can easily hide the true URL of a site from users by building a malicious Web application. 'Note that on the iPhone, this only happens for sites that follow directives in HTML to advertise themselves as mobile sites,' said Dhanjani on his personal blog and in an entry on the SANS Institute's blog. The ability to hide the address bar in iOS is by design, noted Dhanjani, who said he had reported the problem to Apple. 'I did contact Apple about this issue and they let me know they are aware of the implications but do not know when and how they will address the issue,' he said."
This discussion has been archived. No new comments can be posted.

Scammers Can Hide Fake URLs On the iPhone

Comments Filter:
  • by Aerorae ( 1941752 ) on Monday November 29, 2010 @07:11PM (#34381442)
    In other news, Apple tells the world it has the most perfectly designed mobile devices in the world. No in all honesty 90% of web surfers never look at the address anyways. They click a link and expect that it takes them where it says it will. So I wouldn't call this an Apple issue, as they designed their interface with this fact in mind, so much as a consequence of user behavior and a company that is happy to oblige to supporting bad habits.
  • Yeah... (Score:4, Insightful)

    by The MAZZTer ( 911996 ) <<megazzt> <at> <gmail.com>> on Monday November 29, 2010 @07:21PM (#34381558) Homepage
    This is why modern browsers ignore such directives. Remember the window.open parameter that allowed you to hide the url bar? Yeah, only IE8 respects that switch now, all modern browsers ignore it and show the bar anyway.
  • by wizardforce ( 1005805 ) on Monday November 29, 2010 @07:28PM (#34381654) Journal

    There's a difference between allowing for ignorance and catering to it.

  • by 0123456 ( 636235 ) on Monday November 29, 2010 @07:34PM (#34381724)

    Therefore hackers could register wellfargo.com, or wellsfargo.net, or a million variations and harvest usernames and passwords. Clearly URL spoofing did not play a part. Few people look closely at the URL.

    How would a lock icon have helped? If the phishers own a similar domain name they can get an SSL certificate and there'll be a nice fancy lock icon showing that the connection is secure... it's just not going to the site you think it's going to.

  • Re:No "Hover" (Score:5, Insightful)

    by farnsworth ( 558449 ) on Monday November 29, 2010 @07:48PM (#34381858)

    On most browsers/clients/systems - you can "hover" over a hyperlink and see the URL it's going to. Not so with iOS

    If you touch-and-hold a url in mobile safari, you are presented with popup that contains the complete url.

  • by ekhben ( 628371 ) on Monday November 29, 2010 @08:01PM (#34381988)

    Web security should never depend on a user recognising a specific pattern of pixels, either by determining whether that vertical bar with some marks at the top and bottom is a "1" or an "l" or by figuring out if the displayed UI element is part of the web page or not.

    And, if your bank's website doesn't use two-factor authentication, disable it now.

  • Feature (Score:3, Insightful)

    by pgn674 ( 995941 ) on Tuesday November 30, 2010 @01:05AM (#34384700) Homepage

    I actually consider this a feature, not a bug.

    I use Google Reader a ton in my iPod Touch's Safari mobile browser, and that site does the same thing. It and other site that use this feature don't actually hide the URL bar permanently. Instead, the URL bar always acts like it's part of the top of the web page once the page is fully loaded and rendered (during loading and rendering, the bar displays, no matter what). So if you scroll down the page, the bar scrolls away. Scroll to the top of the page, and the bar scrolls into view.

    With this feature, a site can ask the mobile Safari web browser to artificially simulate a scroll of the height of the bar. This is very nice, as it lets the web page have more assured screen space for its initial view. When you use a site like Google Reader a lot on your iPod Touch, it's nice to have this large initial view.

    Instead of removing this feature, if something is to be done about the risk of a website using a visual trick against a user, I'd rather that a mark of some sort be placed on the status bar at the top, beside the clock, radio strength, battery charge, etc. This way, if a user sees a URL bar and that mark at the same time, then the URL bar he sees is obviously a fake.

  • Re:Android too (Score:3, Insightful)

    by L4t3r4lu5 ( 1216702 ) on Tuesday November 30, 2010 @07:48AM (#34386820)
    They don't fail to make the connection with other platforms, they exclude other platforms totally and focus only one one, specifically. When there are other devices, on the mass market, which behave in exactly the same way, yet the article makes no reference to them whatsoever, the article is certainly biased.

    FWIW, I'm not an Apple fan. At all. I just don't believe in spreading FUD, no matter the target. This is a feature to maximise screen space when browsing, which can be abused by imitating the URL bar with an image at the top of the page. It happens on at least Android and Apple devices. They should both be mentioned.

"Conversion, fastidious Goddess, loves blood better than brick, and feasts most subtly on the human will." -- Virginia Woolf, "Mrs. Dalloway"