Mobile Safari vulnerable to spoofing exploit in iOS 5.1

A new vulnerability has been found in Apple's mobile Safari browser for iOS 5.1. MajorSecurity first discovered the exploit, which would allow a hacker to display a different website URL than what is actually being visited in the browser, potentially leading to phishing attacks.

The exploit takes advantage of JavaScript code to open a new browser window, window.open(). That command would normally open a new window on desktop browsers, something that would be readily apparently to a user, but is unclear when using the mobile Safari browser. Although mobile Safari is based on WebKit, the Android browser does not suffer the same fate.

The vulnerability has been confirmed on Apple devices running iOS 5.0 and up. It's not clear if earlier versions of iOS exhibit the same symptoms, although you can test for yourself. A demo website has been set up to show a clear example of how this vulnerability can be exploited. Point mobile Safari to this link to see it in action.

Apple acknowledged the problem back on March 3rd, so it's only a matter of time before we see an update addressing the issue. For now, we recommend you take care before entering any sensitive information into mobile Safari, or use an alternate browser, such as Opera Mini.

[via Your Daily Mac]