iOS 5.1 Safari Allows URL Spoofing

March 22, 2012

One thing that Apple has always focused on is making their devices as secure as possible–so we have to believe that a fix will quickly be developed and released to the public in this case. According to the security firm Major Security, the iOS 5.1 version of the Safari browser found on the iPad, iPhone and iPod Touch has a major security flaw that can result in data being stolen–without the user even realizing that they’ve just handed over a password or other account information to a thief.

According to a report issued by Major Security recently, the security breach involves URL spoofing. For those who don’t know what it is (and many do not), basically, URL spoofing involves displaying a URL for a legitimate site even if the user is on a non-legitimate site. So, for instance, a hacker may direct you to a fake YouTube website, but when you look at the URL in Safari, all you see is youtube.com–thus making it impossible for the average user to tell the difference between a fake and a real site (unless, of course, the fake is so poorly designed that it’s obvious).

Safari

Major Security says that the spoofing is allowed because Safari handles URLs through the javascript window.open() method. This method has widely been used to display custom URLs on desktop browsers like Internet Explorer, and now it’s apparently being used in Safari, too. According to Major Security, this particular problem was tested on the iPhone 4, iPhone 4S, iPad 2, and the newest iPad–all five devices allowed URL spoofing, which proves that this is a real problem and something iOS users need to be mindful of.

Apple, for their part, is aware of the the Safari URL spoofing problem and actually issued a statement earlier this month warning users of the problem. Apple is said to be hard at work on the fix, though no date has been announced for the release of the patch. So until Apple releases the update that fixes the Safari URL spoofing problem, you’ll want to be extra vigilant in your Safari browsing.

Leave a Comment