A security researcher has highlighted a significant flaw in the way that iOS applications hide websites’ addresses.
Nitesh Dhanjani demonstrates how it is possible to hide the address bar in Safari — and thus hidea website’s genuine address. In his example, he sets up a fake phishing site, but by displaying an image where the user expects to see the address bar, he makes it appear as if it is a bank’s genuine website.
The spoof banking site (left) — only by scrolling down is the true URL revealed (right)
However the problem isn’t confined to Safari. Any iOS app that can display web pages — such as Twitter clients — hides the URL by default and provides no way of displaying it. The problem is exacerbated by the widespread use of short URLs which give no indication of the content or nature of the destination site.
Dhanjani says he has contacted Apple about the flaw and the company said that will it is aware of the implications it did not say when the problem will be addressed.
In the meantime, he urges app developers to ‘clearly display the ultimate domain from which they are rending web content’.
