Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scammers Can Hide Fake URLs On the iPhone

Posted by Soulskill on from the don't-believe-everything-you-see dept.

CWmike writes "Exploiting an Apple interface design, identity thieves can hide URLs on the iPhone's limited screen real estate, tricking users into thinking they're at a legitimate site, a security researcher said on Monday. Nitesh Dhanjani demonstrated how criminals can easily hide the true URL of a site from users by building a malicious Web application. 'Note that on the iPhone, this only happens for sites that follow directives in HTML to advertise themselves as mobile sites,' said Dhanjani on his personal blog and in an entry on the SANS Institute's blog. The ability to hide the address bar in iOS is by design, noted Dhanjani, who said he had reported the problem to Apple. 'I did contact Apple about this issue and they let me know they are aware of the implications but do not know when and how they will address the issue,' he said."

15 of 68 comments (clear)

  1. And now for something completely different: by Aerorae · · Score: 5, Insightful

    In other news, Apple tells the world it has the most perfectly designed mobile devices in the world. No in all honesty 90% of web surfers never look at the address anyways. They click a link and expect that it takes them where it says it will. So I wouldn't call this an Apple issue, as they designed their interface with this fact in mind, so much as a consequence of user behavior and a company that is happy to oblige to supporting bad habits.

    1. Re:And now for something completely different: by robot256 · · Score: 2, Interesting

      Half the time you can't see the full url on a widescreen monitor. But at least you can always see what domain you are on (barring Unicode homograms), I would like it if there was a popup in the bottom of my phone browser showing just the domain--maybe even with Unicode spoofs highlighted. They could really innovate with that feature. Or they could leave their "shiny" interface the way it is and not worry about people being stupid.

      I'm assuming it's possible to turn on the address bar, right? Because if they actually prevent people from trying to be smart about it, THEN they are being unreasonable.

    2. Re:And now for something completely different: by wizardforce · · Score: 2, Insightful

      There's a difference between allowing for ignorance and catering to it.

      --
      Sigs are too short to say anything truly profound so read the above post instead.
    3. Re:And now for something completely different: by Aerorae · · Score: 2

      And what is truly amusing is still how much I love my iPhone.

    4. Re:And now for something completely different: by node+3 · · Score: 2, Informative

      Half the time you can't see the full url on a widescreen monitor. But at least you can always see what domain you are on (barring Unicode homograms), I would like it if there was a popup in the bottom of my phone browser showing just the domain--maybe even with Unicode spoofs highlighted. They could really innovate with that feature. Or they could leave their "shiny" interface the way it is and not worry about people being stupid.

      This isn't about obfuscating the URL, it's about hiding the address bar (on the iPhone, what it does is push the address bar above the screen, kind of like how an anchor tag takes you to a specific spot in a page). Then it puts an image at the top that looks like the address bar and that image can have any URL it wants.

      I'm assuming it's possible to turn on the address bar, right? Because if they actually prevent people from trying to be smart about it, THEN they are being unreasonable.

      At least in the example given, it doesn't turn off the address bar, it just loads the page with it pushed off the page.

      I just tried the test in the story, and it's rather clever, but all you have to do is scroll up to verify the site. I can definitely see how it's going to be something Apple isn't going to have an easy time figuring out how to fix because it's not a technological issue, it's a social engineering issue.

  2. Yeah... by The+MAZZTer · · Score: 3, Insightful

    This is why modern browsers ignore such directives. Remember the window.open parameter that allowed you to hide the url bar? Yeah, only IE8 respects that switch now, all modern browsers ignore it and show the bar anyway.

  3. Re:Whose fault is it? by 0123456 · · Score: 2, Insightful

    Therefore hackers could register wellfargo.com, or wellsfargo.net, or a million variations and harvest usernames and passwords. Clearly URL spoofing did not play a part. Few people look closely at the URL.

    How would a lock icon have helped? If the phishers own a similar domain name they can get an SSL certificate and there'll be a nice fancy lock icon showing that the connection is secure... it's just not going to the site you think it's going to.

  4. Re:No "Hover" by JesseDegenerate · · Score: 3, Informative

    How is that? When i press on a link and hold down, on my iphone, it gives me the full address, the option to copy the link, open the link, or open in a new page. I guess i'm special!

  5. Re:No "Hover" by farnsworth · · Score: 4, Insightful

    On most browsers/clients/systems - you can "hover" over a hyperlink and see the URL it's going to. Not so with iOS

    If you touch-and-hold a url in mobile safari, you are presented with popup that contains the complete url.

    --

    There aint no pancake so thin it doesn't have two sides.

  6. Nasty, but not a "new" problem by ekhben · · Score: 2, Insightful

    Web security should never depend on a user recognising a specific pattern of pixels, either by determining whether that vertical bar with some marks at the top and bottom is a "1" or an "l" or by figuring out if the displayed UI element is part of the web page or not.

    And, if your bank's website doesn't use two-factor authentication, disable it now.

  7. Exploit variant by sootman · · Score: 2, Interesting

    An even better way to take advantage of this exploit: Once you've got your page that hides the address bar, at the top of the page show a graphic of Safari's address bar with a totally legit URL. You could even make it a form field so people could click into it and type, and if they click 'Go' have it take you to whatever site they asked for. (Or not.)

    --
    Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
  8. Re:I guaran-goddamn-tee you ... by Lehk228 · · Score: 3, Funny

    by tricking you into FTPing into your bank?

    --
    Snowden and Manning are heroes.
  9. Feature by pgn674 · · Score: 2, Insightful

    I actually consider this a feature, not a bug.

    I use Google Reader a ton in my iPod Touch's Safari mobile browser, and that site does the same thing. It and other site that use this feature don't actually hide the URL bar permanently. Instead, the URL bar always acts like it's part of the top of the web page once the page is fully loaded and rendered (during loading and rendering, the bar displays, no matter what). So if you scroll down the page, the bar scrolls away. Scroll to the top of the page, and the bar scrolls into view.

    With this feature, a site can ask the mobile Safari web browser to artificially simulate a scroll of the height of the bar. This is very nice, as it lets the web page have more assured screen space for its initial view. When you use a site like Google Reader a lot on your iPod Touch, it's nice to have this large initial view.

    Instead of removing this feature, if something is to be done about the risk of a website using a visual trick against a user, I'd rather that a mark of some sort be placed on the status bar at the top, beside the clock, radio strength, battery charge, etc. This way, if a user sees a URL bar and that mark at the same time, then the URL bar he sees is obviously a fake.

  10. Android too by L4t3r4lu5 · · Score: 3, Informative

    The stock Android browser hides the address bar, so you need to scroll up slightly to see it. That's all that this attack is relying on. My HTC Desire does it.

    This isn't an Apple problem, this article is an Apple-bashing troll. Kill it.

    --
    Finally had enough. Come see us over at https://soylentnews.org/
    1. Re:Android too by L4t3r4lu5 · · Score: 2, Insightful

      They don't fail to make the connection with other platforms, they exclude other platforms totally and focus only one one, specifically. When there are other devices, on the mass market, which behave in exactly the same way, yet the article makes no reference to them whatsoever, the article is certainly biased.

      FWIW, I'm not an Apple fan. At all. I just don't believe in spreading FUD, no matter the target. This is a feature to maximise screen space when browsing, which can be abused by imitating the URL bar with an image at the top of the page. It happens on at least Android and Apple devices. They should both be mentioned.

      --
      Finally had enough. Come see us over at https://soylentnews.org/