Today, David Vieira-Kurz of MajorSecurity has uncovered a security issue with Apple’s Mobile Safari in iOS 5.1 (via TNW). The vulnerability can make Safari browser on iOS 5.1 spoof fake website addresses, something that can be used to display a different URL to that of the actual website you are visiting. According to the source, the vulnerability has been reproduced on the iPhone 4, iPhone 4S, iPad 2 and new iPad running iOS 5.1. As a result, the Dutch Ministry of Security and Justice has issued a warning about it.
Viera-Kurz has offered a demonstration of the code, so if you own an iOS device and want to reproduce the bug follow these steps:
Step 1:
Visit http://majorsecurity.net/html5/ios51-demo.html with Safari on iOS 5.1.
Step 2:
Click the “Demo” button.
Step 3:
Safari will open a new window with “http://www.apple.com” in the address bar, but in fact “http://www.apple.com” is being displayed inside an iframe within the host http://www.majorsecurity.net
Step 4:
Safari’s address bar is showing “http://www.apple.com” which makes the user believe he/she is currently visiting Apple.com while he’s still on the attacker’s website.
Apple has already been notified about the vulnerability, meaning an iOS firmware update to resolve the issue should be coming up shortly!
Want to see more of our stories on Google?
P.S. Want to keep this site truly independent? Support us by buying us a beer, treating us to a coffee, or shopping through Amazon here. Links in this post are affiliate links, so we earn a tiny commission at no charge to you. Thanks for supporting independent Canadian media!
What about 5.01?
I tried it on 5.01 and it is suffering from the same vulnerability.
Thats a pretty big fcuk up on Apples part IMO.
How is this bad?
you could enter personal information into a website that you think your on, which in turn will give the attackers the info.
Scary! So it hasn’t been replicated on 5.0.1?
Well, there’s one jailbreak exploit burned. :/