Malicious Web developers can take advantage of the iPhone’s ability to push the Safari’s address bar out of view, says independent security researcher Nitesh Dhanjani via a post on his personal blog. After a Web page loads, the real address bar can disappear while a website graphic depicting the address bar can be used to trick users into thinking they’re on the correct site.
This weakness stems from a design consideration from Apple. It only occurs on websites that identify themselves as mobile sites, as it allows Web developers to take advantage of more of the “precious screen real estate” on the iPhone’s small screen, says Dhanjani. However, for phishers, this could be a new way to direct users to dangerous websites.
Dhanjani created a proof-of-concept demo of how this phishing attack could work, which iPhone users can try (safely) from the following URL: http://www.dhanjani.com/iphone-safari-ui-spoofing/ .
If you don’t have an iPhone to test it, you can watch this YouTube video instead.
In the demo, mobile Safari visits a Web page that looks nearly identical to Bank of America’s mobile website. The website name and lock icon even appear in green, an indication that the website is protected via SSL. However, as you can see, the graphic is not the real address bar. If you scroll up, the actual address bar appears at the top of the page.
Although the problem Dhanjani demonstrates is only observable in mobile Safari today, the researcher cautions that third-party applications that contain their own Web browser could be built to take advantage of this security weakness, too. “In the case of iOS, since most applications are full-screen, it is in the interest of the application designers to keep the users immersed within their application instead of yanking the user out into Safari to render web content,” Dhanjani explained. “Given this situation, it becomes vital for iOS to provide consistency so the user can be ultimately assured what domain the web content is being rendered from.”
He recommends that developers of iOS applications make sure they clearly display the domain from which they’re rendering content.
Any Solutions?
Dhanjani also says he alerted Apple to the issue. “They let me know they are aware of the implications but do not know when and how they will address the issue,” he says.
Meanwhile, third-party security firms are jumping on this news to promote their own “safe surfing” products – for example, Trend Micro and its Smart Surfing for iPhone app, an alternative Web browser application that always shows the system’s address bar.
However, there may be a simpler solution to all of this until Apple makes any changes: just scroll up.