New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

Address Bar Security Issue Found in iOS 5.1 Safari

A security firm has discovered a security issue in the iOS 5.1 version of MobileSafari, the most recent version of the operating system that runs on millions of Apple mobile devices. The behavior was discovered and detailed by David Vieira-Kurz of MajorSecurity.net.
The weakness is caused due to an error within the handling of URLs when using javascript's window.open() method. This can be exploited to potentially trick users into supplying sensitive information to a malicious web site, because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they're visiting another web site than the displayed web site.

To test it out, visit this demo page on an iPhone, iPod Touch or iPad running iOS 5.1. Click the 'Demo' button and MobileSafari will open a new window displaying "www.apple.com" in the address bar, though it's actually loading a page from MajorSecurity.net.

The security firm does note that Apple was informed of the vulnerability three weeks ago, and it is only being made public today. Apple acknowledged the bug and should be pushing a fix soon.



Top Rated Comments

(View all)

96 months ago

Apple are getting a little slack:

1. Hot iPads
2. Wifi Issues On New iPad
3. Safari On Retina Ipad's not actually pulling the fullres wallpaper / images
4. Security issues within 5.1

Apple. You have a B- you can and should be doing a lot better than this!!

Sorry to break it to you, and I loved the man, but he passed away back in October. It's Tim & Co.'s company now and they, despite misinformation to the contrary, are having just as many (read: few) real issues as they did when Steve was around.
Rating: 14 Votes
96 months ago
Public Announcement:

ALWAYS enter the URL manually or use your own bookmark for ANYTHING remotely important. This also means DO NOT click on the links in your email from financial institutions, PayPal, etc.
Rating: 10 Votes
96 months ago
And just like that, the 5.1 Jailbreak was delayed another month. :(
Rating: 9 Votes
96 months ago
That's a pretty good trick.

I mean, usually these things are like "if you download pirated software AND give it your password AND..."

But this one's pretty good. That, like, just worked.
Rating: 6 Votes
96 months ago
"Settings> Safari> Javascript > Off"

Thanks Porco. An easy fix until the next update.
Rating: 5 Votes
96 months ago

Approximately 100% of iOS users use Safari.

And how is it the worst? It's the best for Mac (idk about Windows). Even if you were going to say it was worse than FireFox or something, Internet Explorer is undoubtedly the worst on any OS.


I typed that comment on iOS and it wasn't on Safari but rather iCab. In fact my MacBook doesn't use Safari by default. I understand why iOS and Mac users use Safari because it comes with it by default, the same reason why there's so many IE users on Windows. My Windows computers have never seen Safari installed in a very long time.

For a Mac I'd argue that Chrome is superior but that's not to say it's the perfect browser either. Firefox is too intrusive with all the warning messages like Vista and really relies on 100% user input to make decisions. IE9 has come a long way, it's actually one of the fastest and safest browsers to be used on Windows machines.

For mijail, yes I'm aware of that it's about Mobile Safari however Safari in itself is very late to the game, they introduced sandboxing years after Google's been doing it with Chrome. There's a lot of great extensions and plugins for Chrome and Firefox but Safari's seriously lacking compared to the other 2.
Rating: 4 Votes
96 months ago
I want Chrome browser for iOS, and not because of this issue..
Rating: 3 Votes
96 months ago
This seems like a pretty serious issue. Thanks to MajorSecurity.net for the discovery.
Rating: 3 Votes
96 months ago
Apple now decides that they'll rip off JavaScript functionality from its mobile browser.

"Just like Adobe Flash compromises performance, JavaScript is a security issue. HTML6 will provide through tags everything JavaScript provides through programming."

--JK, BTW

----------

I just browsed through a number of your posts - you are quite the collection of negativity towards Apple and Apple products - it permeates most of your responses.

Why don't you depart the platform and move on to whatever you could be more positive towards? Why spend time bashing Apple and the platform as you clearly hold it in such low regard?


Actually, (some) Apple consumers expect it will be always at the excellence level. It's always said that Apple pushes technology to innovation, so it's natural that consumers demand more from Apple on the quality side than from other manufacturers. That's why we're usually ok by paying more for an Apple tablet or a Macbook Pro than a HP counterpart.
Rating: 3 Votes
96 months ago
Come on, Apple. It's embarrassing. If they appear insecure, a bunch of people will freak out even after security fixes.

I don't see how anyone can try to defend Apple on this. Any little hole like that is a real screwup (like the PDF vulnerability they had before) since everyone will take advantage of it if it is not fixed. I got to jailbreak with the swipe of a finger in iOS 4.
Rating: 3 Votes

[ Read All Comments ]