Researcher warns of iPhone attack risk

Security researcher Nitesh Dhanjani is warning users of the potential for ne'er-do-wells to fool iPhone users into handing their personal details over to an illegitimate site, thanks to a UI spoofing vulnerability in the mobile Safari browser.

In a guest post over on SANS' Application Security Street Fighter blog, Dhanjani details how it's possible for an attacker to make use of the auto-hide functionality of the Safari browser on the iPhone in order to trick users into believing they're on a legitimate site when in fact they've been redirected to a mailicous URL.

The flaw comes about as a result of Apple's decision to hide the status bar - which includes the address of the site you're visiting - when the page has finished loading. By placing a fake status bar at the top of the page, Dhanjani believes it's possible to make users think that they're visiting bankofamerica.com instead of nastyhackerstealsyourlogin.com.

"Popular web browsers today do not allow arbitrary websites to modify the text displayed in the address bar or to hide the address bar," Dhanjani explains, "if browsers can be influenced by arbitrary web applications to hide the URL or to modify how it is displayed, then malicious web applications can spoof User Interface elements to display arbitrary URLs thus tricking the user to thinking he or she is browsing a trusted site."

The version of Safari that ships on the iPhone isn't alone in this behaviour, however: the in-built Android browser also hides its address bar when the page has finished loading, for the same reason as Safari - to save precious screen space on the often cramped smartphone display.

It's Safari that Dhanjani has chosen to highlight, however - and he reports that "I did contact Apple about this issue and they let me know they are aware of the implications but do not know when and how they will address the issue."

There are some mitigations for the flaw: during page loading, a user will see two address bars, which could alert an eagle-eyed user to suspcious activity; and if a user scrolls up once a page has loaded, rather than down, the true address bar will appear once again.

If you're an iPhone user, you can test the attack out for yourself by visithing Dhanjani's custom spoof page, which pretends to be the Bank of America, and see if you think you'd be fooled. If you haven't got an iPhone handy, you can watch the attack in action below.