Hidden URLs pose iPhone phishing threat

Security researcher Nitesh Dhanjani has demonstrated a method of hiding URLs on Apple's iOS that can fool users into thinking they are visiting legitimate sites.

Dhanjani showed in a posting on the SANS Institute blog how the user interface could be used to hide the true URL of an internet page, which would make phishing attacks much easier. He demonstrated an attack on the Bank of America's iPhone web page.

"It makes sense to point out that Bank of America (like many other institutions which are a frequent target of phishing attacks) advises its customers to watch the browser address bar," he said.

"However, when you go to Bank of America's [mobile] site using Safari on the iPhone, the very address bar they recommend their customers watch for disappears from sight."

The actual URL is displayed briefly when the phishing web site is accessed, but is then masked by the web page rollout.

The feature is designed to allow maximum screen space for internet use, and such practices are common among web designers.

"Given how rampant phishing and malware attempts are these days, I hope Apple chooses to not allow arbitrary web applications to scroll the real Safari address bar out of view," Dhanjani said.

"I do realise how precious real estate is on mobile devices, and if Apple chooses to come up with a better way of addressing this issue I'd welcome that as well."

Dhanjani has contacted Apple, which said that the issue had already been identified but that a fix was not available at present.

Dhanjani first came to prominence in 2008, where he discovered a flaw in the Windows version of Safari that allowed an attacker to install files via a vulnerability in the download system. He also covers social networking attack vectors.