In association with heise online

20 March 2012, 16:09

Address spoofing vulnerability in iOS's Safari - Update

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

iPad screenshot
Zoom The address bar says Apple, but the text below says its actually coming from
Through a vulnerability in WebKit in the mobile version of Safari, an attacker could manipulate the address bar in the browser and lead the user to a malicious site with a fake URL showing above it. The security researcher David Vieira-Kurz has published an advisory which explains the problem. Incorrect handling of the URL when the JavaScript method "" is used allows an attacker to "own" HTML and JavaScript code in the new window and, in turn, change the address bar of the window.

The research demonstrated the vulnerability at – a "Demo" button opens a new page that loads in borderless iframe and also displays in the addressbar, but the page itself has originated from Fraudsters could use the vulnerability for phishing attacks by sending users to pages which appear to be their bank and asking for account data.

The vulnerability affects WebKit 534.46 in the latest iOS version 5.1, though earlier versions of iOS may also exhibit the problem. Users of third party browsers based on WebKit on iOS could also be vulnerable to the address spoofing. Vieira-Kurz informed Apple of the problem in early March.

Update: There are apparently only a few third-party browsers, such as Dolphin HD, that are affected by the vulnerability. Other iOS browsers such as iCabMobile and Atomic Web are not.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit