Researcher reveals how hidden URLs can pipe Apple iPhone users to malware

The problem appears to be caused by the limited screen size on the iPhone, an issue that may well afflict other smartphones as well, Infosecurity notes.

According to Nitesh Dhanjani, a researcher credited with spotting a previous Apple Safari desktop browser issue that could result in so-called 'carpet bomb' attacks, the problem is a potentially major one for Apple and its iPhone users.

In this latest proof-of-concept attack vector, Dhanjani has shown how a legitimate web app from the Bank of America's mobile banking application hides the Safari address bar after rendering the page.

This practice, he asserts, allows users of the iPhone to see more screen information than normal, and is often seen on websites designed for smartphones.

Dhanjani claims he has contacted Apple about the issue and that "they let me know they are aware of the implications but do not know when and how they will address the issue."

Given how rampant phishing and malware attempts are these days, I hope Apple chooses to not allow arbitrary web applications to scroll the real Safari address bar out of view, he said in his security blog.

The researcher goes on to say that Apple may consider displaying or scrolling the current domain name right below the universal status bar, i.e. below the carrier and time stamp.

Positioning the current domain context in a location that is unalterable by the rendered web content, he says, can provide the users similar indication that browsers such as IE and Chrome provide by highlighting the current domain being rendered.

Dhanjani has posted an interesting short video on YouTube that shows how the URL misroute functions.

What’s hot on Infosecurity Magazine?