Apple’s iOS thus far has proven to be fairly resistant to malware and some other forms of attack, but that doesn’t mean that it is completely in the clear. A new vulnerability discovered by a researcher at a German security firm enables an attacker to take advantage of some odd JavaScript behavior and spoof a URL and present a user with an absolutely authentic-looking forged Web site.
The vulnerability lies in the way that Apple’s Safari browser on iOS devices such as iPhones and iPads handles one specific JavaScript call. It could be used by an attacker to direct a user to a user to a forged online banking or shopping site and the user would have little chance, if any, of identifying the site as a fake. A demo put together by David Vieria-Kurz of MajorSecurity shows that the attack works on devices running iOS 5.1, the most recent version of the operating system, as well as iOS 5.01.
“The weakness is caused due to an error within the handling of URLs when using javascript’s window.open() method. This can be exploited to potentially trick users into supplying sensitive information to a malicious web site, because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they’re visiting another web site than the displayed web site,” the company’s security advisory on the iOS flaw says.
When a user visits the demo URL with a vulnerable browser, he is presented with what looks like the Apple home page, with a small dialog box at the top. Pressing the demo button in the box will open a new browser window that shows “www.apple.com” in the address bar and looks exactly like the company’s site, save for a small line of text at the top. However, that page is sitting on the MajorSecurity server.
tactics like this one are rampant on desktop browsers and are a common part of phishing campaigns and other organized attacks. These attacks often succeed even with forgeries that aren’t anywhere near perfect. If attackers can drive victims to a forged site that’s an exact copy of the legitimate one and includes the proper URL, they’re in good shape.