Scammers Can Hide Fake URLs On the iPhone

CWmike writes "Exploiting an Apple interface design, identity thieves can hide URLs on the iPhone's limited screen real estate, tricking users into thinking they're at a legitimate site, a security researcher said on Monday. Nitesh Dhanjani demonstrated how criminals can easily hide the true URL of a site from users by building a malicious Web application. 'Note that on the iPhone, this only happens for sites that follow directives in HTML to advertise themselves as mobile sites,' said Dhanjani on his personal blog and in an entry on the SANS Institute's blog. The ability to hide the address bar in iOS is by design, noted Dhanjani, who said he had reported the problem to Apple. 'I did contact Apple about this issue and they let me know they are aware of the implications but do not know when and how they will address the issue,' he said."

Whose fault is it?

[fermion]

The iPhone was meant to be able to browse the whole wave, with the exception of Flash pages. So why to banks and vendors push the iPhone to a mobile site? Why don't they have a uniform site that can be accessed by any browser? Why do the engage in less secure behavior? For example, Wells Fargo encourages users to sign in on the home page(which is lately secure), uses interstitials at sign in, and also has a mobile site. Much of the lack of security comes from the habits encouraged by the financial institution, and the browser can only do so much.

For instance, by allowing sign in on an home page, which at one was not secure, the user got used to not looking for the lock. Therefore hackers could register wellfargo.com, or wellsfargo.net, or a million variations and harvest usernames and passwords. Clearly URL spoofing did not play a part. Few people look closely at the URL.

Which is to say that Safari allowing URL spoofing is a concern, but I do not see it as dramatic. The URL is not really visible all the time n the iPhone. My real concern is that banks, and stores such as Amazon, have mobile sites instead of just designing one site that will work for all users. This creates a precendent that the look and feel of a vendor is not unifrom, and provides opening for those that want to spoof sites.