The Safari browser in the latest version of iOS has a bug that allows a website to display a false address in the URL bar, according to a recent report. The bug is actually present in all three major releases of iOS 5: iOS 5.0, 5.0.1, and 5.1.
The bug was discovered by David Vieira-Kurz of MajorSecurity, who first identified the problem in iOS 5.0. He was later able to reproduce it in iOS 5.0.1, and in 5.1. According to his report, the vulnerability was originally discovered on March 1st. On March 2nd Apple was informed of the problem, and on March 3rd they responded. Vieira-Kurz’s report was published on Tuesday, March 22nd.
Vieira-Kurz included instructions for duplicating the issue in the report. Check it out below on an iPhone 4S running iOS 5.0.1. The first shows the actual URL, pressing the “Demo” button opens the new page showing apple.com in the URL bar:
A bug like this presents a potentially significant security threat to users. Historically the best way to identify a phishing scam has been to check the URL. For example, an email that claims to be from, say, PayPal will advise readers to click a link and input their account information to rectify some problem. Clicking the link would take the reader to a site that looked like PayPal’s site, but had something completely different in the address bar. With this bug in Safari, links like that could not only look like PayPal (or Apple, or your local bank), but display the correct address as well.
As yet there is no solution to the bug. Since Apple is aware of it, you can bet that the next version of iOS will include a fix. In fact, it is entirely possible that a bug like this could be considered severe enough to warrant a quick update to iOS in the next few days. In the meantime, it might be best to exercise a little extra caution when clicking links while on your iOS device.