Researcher: Wii and iPhone browsers could allow phishing

University of California researchers say electronic gadgets' embedded browsers, which often strip out security features, could allow phishers to compromise users.

In a paper (PDF) presented at the Usability, Psyschology, and Security Conference 2008 in San Francisco, researchers from the University of California at Davis warned that browsers within popular electronic gadgets often eliminate important security features available on desktop browsers.

Researchers Yuan Niu, Francis Hsu, and Hao Chen looked at the Mobile Safari browser in Apple iPhone, as well as the Opera browser included in the Nintendo Wii and DS gaming systems. In general, they cited the reliance on screen typing as a deterrent to typing in known URLs. They said users are more likely to click on URLs presented in an e-mail.

They also said reduced screen sizes tend to force the address bar off the screen. On the Nintendo DS, only the first 22 characters display. They gave an example of a page called www.bankofamerica.com.phishydomain.com, which would be truncated to simply www.bankofamerica.com.

On the iPhone, the researchers said a simple ScrollTo() JavaScript could knock the address bar off the Safari screen. In the paper, they gave an example in which JavaScript directs the page to load somewhere in the middle, forcing the address bar off the top of the page.

Even when the address bar is visible, the researchers were able to use JavaScript to overwrite the bogus address with a more legitimate address. The overwrite trick could also lead the user into thinking a site was Secure Sockets Layer (SSL)-protected when it was not.

On the Nintendo Wii, the researchers found that the URL bar disappears when the page is loaded.

The researchers state that porting the traditional browser to a mobile device requires some foresight, and they suggest that even built-in features within browsers are ignored by users. They suggest instead that vendors use a proxy to filter out phishing before routing the pages to the devices.

Tags:
Security
About the author

    As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.

     

    Join the discussion

    Conversation powered by Livefyre

    Don't Miss
    Hot Products
    Trending on CNET

    HOT ON CNET

    Mac running slow?

    Boost your computer with these five useful tips that will clean up the clutter.