iPhone Users Vulnerable to URL Spoofing Attack
As I was reading my RSS feeds, I just noticed that Aviv Raff disclosed two vulnerabilities found in iPhone on Jewish new year (Oct 2). But, to my surprise the phishing vulnerability isn’t new to me, this is bit old, in fact I created a crafted email with spoofed URL on it, as inspired by its original author Juan Pablo Lopez Yacubian.
This topic has been blogged last April 24 – Zero Day Exploit: Safari Address Bar URL Spoofing
Since this vulnerability affects Safari 3.1, obviously iPhone users are affected as well. I just created this email to show that this vulnerability exist.
Notice the URL, you’ll find it creepy ‘coz in Desktop email browser you will usually see the complete URL in the lower right side bar. But in this case, the attacker can simply create a hyperlink to hide it and it’s not that obvious!
Upon clicking it, here’s what you’ll find …
Google in URL bar and Yahoo on the content ? Yes, this is the security flaw found in Safari. This happens when you input a URL containing special characters followed by “@” which indicates the actual hostname. The special characters was crafted long enough to hide the URL of the page.
However, once you minimize the page, the URL displayed should ring a bell, that this is something fishy!
The lesson here is to be aware and stay safe!