Security researcher finds spoofing bug in Apple’s mobile web browser

Mar 23, 2012 09:33 GMT  ·  By

A weakness in Apple’s Mobile Safari needs to be patched immediately, according to a security company.

David Vieira-Kurz of MajorSecurity.net has discovered that Safari in iOS 5.1 has a weakness “caused [by] an error within the handling of URLs when using javascript’s window.open() method.”

It’s a general case of “spoofing” which, in plain English, means your address bar is lying about the site you’re on.

David explains that this “scary” bug can be exploited to potentially trick users into supplying cybercriminals with sensitive information, “because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they’re visiting another web site than the displayed web site.”

The security expert stresses that “Users should upgrade to a newer version as far as the vendor has supplied a patch.”

In other words, connect your iDevice to iTunes the minute Apple launches iOS 5.1.1 (or any incremental update the company chooses to release next).

David offers proof-of-concept code at this address, as well as the actual steps to reproduce / exploit the flaw.

Apple may want to roll out an iOS update sooner rather than later, as the current version of its mobile operating system is exhibiting several issues.

For example, one heavily reported bug is the new iPad’s inability to keep a WiFi connection going. There are other things that might need software patching as well, such as the tablet’s inability to charge the battery while playing a game.

However, there’s a good chance this behavior is normal for the new iPad, which houses a quad-core GPU inside its chassis. The power-sucking A5X chip is also one of the main causes why the device tends to run a bit warmer than its predecessors.