Safari Logo 150x150 Addressbar spoofing vulnerability found in mobile Safari WebkitThe mobile Safari browser for iOS on iPhone’s and iPad’s contains a vulnerability, which can be used for phishing, and could potentially threaten the whole iOS community. The Dutch Ministry of Security and Justice announced this news today on their official website. The vulnerability can be easily exploited by hackers to display a different web URL than the webpage users are actually visiting.

According to the Ministry of Security and Justice, the vulnerability is found in the rendering-engine Webkit, which is used for various browsers. This could for example be used for phishing, and there is even the possibility that this already happened; the adress bar will for example display Apple.com while you are actually visiting a website that looks exactly the same, but with the difference that they are just after your creditcard details. Many users will probably not even notice the difference between the two. Apple is already informed, although they haven’t released an update yet. We therefore recommended that users should be careful when filling in forms with your personal information.

The leak was originally discovered by MajorSecuriy, who demonstrated that the Apple Webkit rendering engine has support for the JavaScript command ‘window.open()’. This command will open a new window, which is clear if you are working on a desktop or laptop, but not if you are using the mobile version of Safari. However, it seems that it is system related, because Android is using the Safari Webkit as well, but their engine is not vulnerable for phishing attacks; it is clear when a new window/tab is opened on an Android device.

While the leak is tested with iOS 5.1, it is likely that devices that run on older firmwares such as iOS 5.0.1 and iOS 4 are vulnerable to these attacks as well. Apple has currently not announced whether it will do something about the problems. Users are advised to use alternative browsers such as iCabMobile or Opera until the vulnerability is patched in a firmware update.