Address bar spoofing exploit found for iPhone, iPad Safari in iOS 5.1
With the amount of iOS devices out there in the world these days, the amount of individuals looking to exploit Apple's offerings is growing.
A new security vulnerability has now been exposed pertaining to how Apple's Safari web browser handles site names entered into the address bar. The exploit, discovered by David Vieira-Kurz of MajorSecurity, involves spoofing (faking) the name of the site the user thinks they are going to in Safari while secretly redirecting them to a different, potentially malicious website without their knowledge.
The vulnerability has been reproduced on every device running iOS 5.1 including the iPhone 4, iPhone 4S, iPad 2 ,and the new iPad. Given the reproducible results, the Dutch Ministry of Security and Justice has issued a warning.
A proof of concept has been provided by Vieira-Kurz and the results have been acknowledged by Apple as far back as March 3rd. That said; it stands to reason that an update from Apple is being worked on to close the hole.
If you're looking to test out the proof of concept yourself, you can visit the Vieira-Kurz website in the source link below. If you test it, you can see how simply pushing the demo button will load a new site but the address bar would have you believe it's still apple.com.
Until an update is pushed from Apple, ensure you do not go clicking on any random links you don't trust and also avoid offering up any personal details on sites you're not 100% sure about. When it doubt, type in the address yourself rather than clicking a link to better make sure you're going to the right place. These common safety measurements for the internet, but certainly worth repeating with this new found exploit now known to the masses.