ReadWriteWeb reports that malicious web developers can take advantage of the iPhone’s ability to push the Safari’s address bar out of view, according to independent security researcher Nitesh Dhanjani via a post on his personal blog. After a web page loads, the real address bar can disappear while a web site graphic depicting the address bar can be used to trick users into thinking they’re on the correct site. This weakness stems from a design consideration from Apple. It only occurs on websites that identify themselves as mobile sites, as it allows web developers to take advantage of more of the “precious screen real estate” on the iPhone’s small screen, says Dhanjani. However, for phishers, this could be a new way to direct users to dangerous websites. Dhanjani created a proof-of-concept demo of how this phishing attack could work, which iPhone users can try (safely) from the following URL: http://www.dhanjani.com/iphone-safari-ui-spoofing/ . If you don’t have an iPhone to test it, you can watch this YouTube video instead. In the demo, mobile Safari visits a web page that looks nearly identical to Bank of America’s mobile web site. The web site name and lock icon even appear in green, an indication that the website is protected via SSL. However, as you can see, the graphic is not the real address bar. If you scroll up, the actual address bar appears at the top of the page…

Click here for the full story

About the Author:

staff and wire services reports