Slashdot Mirror
Scammers Can Hide Fake URLs On the iPhone
CWmike writes "Exploiting an Apple interface design, identity thieves can hide URLs on the iPhone's limited screen real estate, tricking users into thinking they're at a legitimate site, a security researcher said on Monday. Nitesh Dhanjani demonstrated how criminals can easily hide the true URL of a site from users by building a malicious Web application. 'Note that on the iPhone, this only happens for sites that follow directives in HTML to advertise themselves as mobile sites,' said Dhanjani on his personal blog and in an entry on the SANS Institute's blog. The ability to hide the address bar in iOS is by design, noted Dhanjani, who said he had reported the problem to Apple. 'I did contact Apple about this issue and they let me know they are aware of the implications but do not know when and how they will address the issue,' he said."
In other news, Apple tells the world it has the most perfectly designed mobile devices in the world. No in all honesty 90% of web surfers never look at the address anyways. They click a link and expect that it takes them where it says it will. So I wouldn't call this an Apple issue, as they designed their interface with this fact in mind, so much as a consequence of user behavior and a company that is happy to oblige to supporting bad habits.
Hasn't Apple banned scammers from getting into the iPhones yet?
Why, he's pretending to be another site! The audacity!
Fake sites, scam sites, trickery and shenanigans abound. Welcome to the intertubes.
This is why modern browsers ignore such directives. Remember the window.open parameter that allowed you to hide the url bar? Yeah, only IE8 respects that switch now, all modern browsers ignore it and show the bar anyway.
so "scammers exists" is basically the meat of the claims of the story... this is news?
slashdot = stagnated
...while I'm driving.
For instance, by allowing sign in on an home page, which at one was not secure, the user got used to not looking for the lock. Therefore hackers could register wellfargo.com, or wellsfargo.net, or a million variations and harvest usernames and passwords. Clearly URL spoofing did not play a part. Few people look closely at the URL.
Which is to say that Safari allowing URL spoofing is a concern, but I do not see it as dramatic. The URL is not really visible all the time n the iPhone. My real concern is that banks, and stores such as Amazon, have mobile sites instead of just designing one site that will work for all users. This creates a precendent that the look and feel of a vendor is not unifrom, and provides opening for those that want to spoof sites.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Screenshots of ui elements have always been an avenue for web predators. It's not an iPhone unique problem. Although, they could put a user-unique element in the address bar to fight it (an icon or a condensed username).
On most browsers/clients/systems - you can "hover" over a hyperlink and see the URL it's going to. Not so with iOS
I'm just complaining, but I tried to publicize this through slashdot back in october and was ignored. http://twitter.com/mootcycle/status/27965429016/ I also made the point that mobile browsers don't display enough of the url. accounts.google.com.evil-lemur.com only shows the first bit of the URL. Oh well. I suppose I should have tried harder to get someone to pay attention.
Web security should never depend on a user recognising a specific pattern of pixels, either by determining whether that vertical bar with some marks at the top and bottom is a "1" or an "l" or by figuring out if the displayed UI element is part of the web page or not.
And, if your bank's website doesn't use two-factor authentication, disable it now.
STUPID all of us.
One of the security options in IE is "Allow websites to open windows without address or status bars" and it is disabled by default.
The fact that this even exists as an option is ... interesting, shall we say.
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."
"Given how rampant phishing and malware attempts are these days, I hope Apple chooses to not allow arbitrary Web applications to scroll the real Safari address bar out of view," he said. "Perhaps Apple may consider displaying or scrolling the current domain name right below the universal status bar, i.e. below the carrier and time stamp. Positioning the current domain context in a location that is unalterable by the rendered Web content can provide the users similar indication that browsers such as IE and Chrome provide by highlighting the current domain being rendered."
Even if the true URL were visible it still wouldn't help much--people would still visit www.bankofamercia.com or www.bankofamerica.evilsite.com or www.bankofamericaonline.net or any one of a million other correct-looking domains.
"I hope Apple chooses to not allow arbitrary Web applications to scroll the real Safari address bar out of view"
Yes, let's make everyone's experience worse just to help a small percentage of people who couldn't use the information shown to help themselves anyhow. No, thanks.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
An even better way to take advantage of this exploit: Once you've got your page that hides the address bar, at the top of the page show a graphic of Safari's address bar with a totally legit URL. You could even make it a form field so people could click into it and type, and if they click 'Go' have it take you to whatever site they asked for. (Or not.)
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
I never understood why MS ever thought it would be useful -- for the end user -- to hide the URL bar. The *only* use cases I can think of are devious and unhelpful to the end user.
And thanks for about:config, but that comes as no news. It also bears mentioning that Firefox doesn't actually have options for "everything" per se -- I cannot find any option to hide the URL bar, for instance, but maybe I'm just not seeing it.
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."
As an end user, I'm happy with the choices presented by many software options -- so long as those options do not actually impede my use of the software. Hiding the URL bar is one option for which I fail to see any use that is not harmful to the end user.
Choice is generally good, but choice for choice's sake can often lead to problems. Not allowing the browser to hide the URL bar could be likened to not allowing factory floor workers to wear neckties or other dangling items of clothing or jewelry. While technically limiting choice, not imposing such restrictions leaves browser users open to very basic phishing and other attacks, and factory workers open to being mangled by their machinery. In both cases, removing the choice from users, by making it for them instead, improves safety.
Sometimes, having a choice made for you by others who know better is actually a good thing.
Cheers,
... that Chrome's protocol-hiding will cause similar problems one of these days. I don't know how, I don't know when, I don't know where -- but I do know that someone's going to use it to cause harm.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
Wouldn't a separate build be more appropriate in such a case? Much of the functionality in a full-on desktop install of a browser would only eat up valuable space in an appliance environment.
Then again, this is Microsoft, who seem to think that Windows is great on appliance machines...
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."
Seems like no one really read the article. Its not a problem with Safari. If a user opens a web page in Safari they dont lose the URL bar. Its in app access to browsing using API's to hide the URL after a page in a App has loaded. Users only get to see it for a few seconds. I still think its a non issue because Apps are so controlled on Apple it would be a stroke of luck for some one to get a App that did abuse that to steal peoples info, it would be busted quickly if it did some how get pass that App Approval nazi's and quickly pulled. If such a rare thing did happen it could spark Apple to use the auto remove back door of any apps of that nature installed for the first time. Sometimes its great using a device that is highly controlled because I have no reason to worry about this at all with the current state of App approvals. The flaw would be horrible on a more open less controlled market space though.
I actually consider this a feature, not a bug.
I use Google Reader a ton in my iPod Touch's Safari mobile browser, and that site does the same thing. It and other site that use this feature don't actually hide the URL bar permanently. Instead, the URL bar always acts like it's part of the top of the web page once the page is fully loaded and rendered (during loading and rendering, the bar displays, no matter what). So if you scroll down the page, the bar scrolls away. Scroll to the top of the page, and the bar scrolls into view.
With this feature, a site can ask the mobile Safari web browser to artificially simulate a scroll of the height of the bar. This is very nice, as it lets the web page have more assured screen space for its initial view. When you use a site like Google Reader a lot on your iPod Touch, it's nice to have this large initial view.
Instead of removing this feature, if something is to be done about the risk of a website using a visual trick against a user, I'd rather that a mark of some sort be placed on the status bar at the top, beside the clock, radio strength, battery charge, etc. This way, if a user sees a URL bar and that mark at the same time, then the URL bar he sees is obviously a fake.
Even a novice would be able to work out what it means.
Seriously, you're thinking like a geek. Mind you, I don't mean that in a bad way. But I do mean that someone with your perspective is not someone who would most likely be disadvantaged by someone else hiding the URL bar, as you'd be wary and experienced enough to notice, and wonder what was up.
Why should they have to maintain a separate build just for the sake of not having a single checkbox in the configuration options? Surely not to save space, because it wouldn't take much code to check a setting before adding the address and status lines.
Redjag suggested that the option might be useful for appliance purposes. My reply about separate builds was precisely for this context -- so far the only useful and non-devious one mentioned for hiding the URL bar -- and in the context of an appliance installation, a separate build that saves space would indeed be very much desired. And by saving space, I'm referring to much more than just code to check a setting before adding the address and status lines: an appliance build, with space-savings in mind, would be much more bare-bones -- no need for extensions, no need for bookmarks, possibly even no need for JavaScript.
Is there any utility for end users of a full-on desktop browser installation for an option to hide the URL bar? I see plenty of utility for others -- megacorps, phishers, and assorted other ne'er-do-wells -- but I can think of no compelling use for regular old end users.
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."
Another nail in the coffin of the freakin shit tard jerk off iPhone shite container apple need nuking off the face of the planet they are even worse than that bunch of idiots at M$ Corp and thats saying something Jobsy FOAD do the world a favour ..
The stock Android browser hides the address bar, so you need to scroll up slightly to see it. That's all that this attack is relying on. My HTC Desire does it.
This isn't an Apple problem, this article is an Apple-bashing troll. Kill it.
Finally had enough. Come see us over at https://soylentnews.org/
You mean there isn't an App for that?