A flaw has been discovered in Apple's Safari web browser on the iPhone that could easily allow hackers to redirect unsuspecting users to a phishing website.
Security expert Nitesh Dhanjani has discovered a UI feature on the Safari web browser that allows the mobile website to hide the URL bar of the browser after rendering the website. This feature, designed to save screen real estate, can be used by attackers to hide the URL of the phishing website.
In a blog post, Dhanjani demonstrated the attack using the Bank of America iPhone mobile site.
“It makes sense to point out that Bank of America (like many other institutions which are a frequent target of phishing attacks) advises its customers to watch the browser address bar,” he said. “However, when you go to Bank of America's [mobile] site using Safari on the iPhone, the very address bar they recommend their customers watch for disappears from sight.”
Considering the rise of phishing and malware attacks on mobile banking websites, Apple should come up with a fix for the feature.