Home > Daily Thoughts, Emerging Threats, Exploits, Malwares, Phishing, Vulnerability > iPhone Users Vulnerable to URL Spoofing Attack

iPhone Users Vulnerable to URL Spoofing Attack

As I was reading my RSS feeds, I just noticed that Aviv Raff disclosed two vulnerabilities found in iPhone on Jewish new year (Oct 2). But, to my surprise the phishing vulnerability isn’t new to me, this is bit old, in fact I created a crafted email with spoofed URL on it, as inspired by its original author Juan Pablo Lopez Yacubian.

This topic has been blogged last April 24 – Zero Day Exploit: Safari Address Bar URL Spoofing

Since this vulnerability affects Safari 3.1, obviously iPhone users are affected as well. I just created this email to show that this vulnerability exist.

Notice the URL, you’ll find it creepy ‘coz in Desktop email browser you will usually see the complete URL in the lower right side bar. But in this case, the attacker can simply create a hyperlink to hide it and it’s not that obvious!

Upon clicking it, here’s what you’ll find …

Google in URL bar and Yahoo on the content ? Yes, this is the security flaw found in Safari. This happens when you input a URL containing special characters followed by “@” which indicates the actual hostname. The special characters was crafted long enough to hide the URL of the page.

However,  once you minimize the page, the URL displayed should ring a bell, that this is something fishy!

The lesson here is to be aware and stay safe!

  1. No comments yet.
  1. October 6, 2008 at 12:30 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: