Looks like the Safari browser in iOS and OS X carries an inherent vulnerability that could allow attackers to exploit it for phishing purposes or distribution of malware. The exploit, as discovered by the researchers, is based on spoofing the Web URL to convince users that they’re in fact visiting trusted and legit websites. More details on this news can be found right here.
To show off how this exploit can be used by attackers, the researchers have developed a proof of concept site to demonstrate just how exactly the attack can work if ill-intended individuals develop a liking for it. The researchers use dailymail.co.uk, a British news website to pose as the website you’re visiting, but instead, while it leads you to a page telling you that it’s not the real DailyMail page, the Safari address bar shows the legit URL address.
Using this proof of concept you will notice that the trick URL quickly loads the phishing or malware website before the browser gets a chance to load the actual intended link. According to ArsTechnica, who tested this code, had come to the conclusion that it isn’t entirely perfect, further explaining that: “On the iPad Mini Ars tested, the address bar periodically refreshed the address as the page appeared to reload. The behavior might tip off more savvy users that something is amiss.”
This supposed glitch in the exploit is unlikely to be noticed by many users who would believe that they’re actually visiting genuine websites. Attackers could use the exploit to dress up links as ones offering sensitive services – such as PayPal – to steal your personal information and consequently, your money.
The vulnerability to this exploit seems to exist in just Safari, and browsers such as Chrome, Firefox, and Internet Explorer are apparently not prone to it whatsoever. Though vulnerabilities like this one tend to surface on or off in iOS or OS X, but users can rest assured that Apple, with its assured track record, will patch this one up soon with a new update. This vulnerability does pose a serious data risk, but nothing that cannot be managed with a quick update for Safari.
If you believe that your data mustn’t be at risk, then we recommend that you download a third-party browser before Apple pushes out an update.
(via: ArsTechnica)
You can follow us on Twitter, add us to your circle on Google+ or like our Facebook page to keep yourself updated on all the latest from Microsoft, Google, Apple and the web.
