Safari bug could lure iOS 5 users to malicious Web sites

A hole in Apple's mobile Safari can be exploited to display a different URL in the address field than the Web site being viewed in the browser.

Screenshot by Lance Whitney/CNET

iOS 5 users, beware a security flaw in Safari that can be used to trick you into visiting potentially malicious Web sites.

Discovered earlier this month by Germany security firm MajorSecurity, the vulnerability could allow cybercriminals to spoof the URL displayed in the browser, trapping users at the wrong sites.

"The weakness is caused due to an error within the handling of URLs when using javascript's method," explained David Vieira-Kurz of MajorSecurity. "This can be exploited to potentially trick users into supplying sensitive information to a malicious Web site, because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they're visiting another web site than the displayed web site."

First uncovered in IOS 5.0, the hole was reproduced in iOS 5.1. The security firm was able to confirm the flaw on an iPhone 4, iPhone 4S, iPad 2, and "iPad 3," all running iOS 5.1.

Apple was informed of the bug by MajorSecurity on March 3, but the information didn't go public until this past Tuesday. Apple did not immediately answer CNET's request for comment. But MajorSecurity is advising users to upgrade to a new version of IOS when a patch becomes available.

Since Apple has acknowledged the issue, it should be able to push out a fix in its next iOS update, says The Next Web. For now, though, mobile Safari users should follow the usual advice of not opening links you don't trust and be on the lookout for any site that asks for personal information.

Curious iOS 5 users can reproduce the bug themselves via the following steps outlined by MajorSecurity:

  1. Visit on your mobile device.
  2. Click the Demo button in the upper left.
  3. A new page will open displaying the URL for Apple's Web site with all the expected content. So you believe you're on Apple's site. But the page is actually still being hosted at MajorSecurity's domain.
Featured Video
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

The WRT1900ACS is Linksys' new best Wi-Fi router to date

CNET editor Dong Ngo compares the new WRT1900ACS and the old WRT1900AC Wi-Fi routers from Linksys. Find out which one is better!

by Dong Ngo