iOS 5.1 bug allows for address bar spoofing in Safari – users beware
Phishing is a type of scam where someone tries to get you to give them your personal info (like passwords) by pretending to be a trustworthy source. The general rule is that you should check the address bar of your browser before logging in anywhere if you’re following links, to make sure that you’re actually on the site that you think and not a copy that is being hosted on an address that looks like it (like faecbook instead of facebook or something like that).
Now someone at a company called MajorSecurity has discovered a major bug in the way that Safari on iOS 5.1 opens links using javascript. The bug opens up for address bar spoofing, meaning that the address bar can be made to show a different URL than you’re actually at. That way it could show facebook.com even if you’re somewhere completely different. This means that one of the most basic ways of avoiding phishing scams no longer works on the iPad, and that’s a big deal.
Apple has been notified of the issue and will hopefully release a fix soon. In the mean time, it’s recommended that users avoid following links blindly while using the iPad. This won’t suddenly make a link in your online banking system go somewhere else, but if you’re on an unknown web page or getting a link in an email, you should be careful.
[MajorSecurity via TheNextWeb]
