Address bar on Apple iOS 5.1’s Safari browser vulnerable to spoofing

Given the large number of users on the iOS platform, vulnerabilities are constantly exposed. The weaknesses can be anything from within the filesystem, kernel or even on the surface, with their applications. Today, another vulnerability has surfaced and it has something to do with the Safari browser on iOS 5.1 renders website addresses which can be used by less than innocent parties to display a different URL to which is actually being visited.

The loophole was found by David Viera-Kurz from a company called MajorSecurity and the associated advisory details an error in how Safari handles the Javascript window.open() method  (to open a new window in the browser) The loophole could possibly be used to exploit users into accessing and supplying sensitive information to a malicious website.

Because the vulnerability was exposed on iOS 5.1 across all Apple devices, certain parties such as the Dutch Ministry of Security and Justice has issued a warning about it. Viera-Kurz has offered a demonstration of the code in this link if you own an iOS device and want to reproduce the possible loophole. Open the link and press the ‘Demo’ button.

The vulnerability was identified on March 1 and Apple was notified the next day. On March 3, they acknowledged the problem. Now that Apple is aware of the issue, there is absolutely no doubt that a fix will be in the making. In the meantime, there is no better advice that recommending that you do not open any links that you don’t trust and please be aware if any websites ask for your personal details.