/>
X
Innovation

iPhone Safari feature is a risk, says researcher

A researcher has warned that a feature on Safari for iPhone could be used to hide malicious URLs.Safari on the iPhone hides a URL once a web page has loaded.
Written by Tom Espiner, Contributor on

A researcher has warned that a feature on Safari for iPhone could be used to hide malicious URLs.

Safari on the iPhone hides a URL once a web page has loaded. This means that a spoof web page which contains a spoof URL within the body of the page could be used to lull users into a false sense of security, researcher Nitesh Dhanjani said in a blog post on Monday.

"Notice that the address bar stays visible while the page renders, but immediately disappears as soon as it is rendered," said Dhanjani. "Perhaps this may give the user some time to notice but it is not a reasonably reliable control (and I don’t think Apple intended it to be)."

Dhanjani demonstrated a proof-of-concept phishing page with the actual URL http://www.dhanjani.com/iphone-safari-ui-spoofing/. The page spoofed the Bank of America landing page, but the URL was hidden when the page rendered. To view the actual URL, users had to scroll up.

The researcher has contacted Apple about the Safari feature.

Editorial standards