clock menu more-arrow no yes

Filed under:

Safari URL spoofing exploit revealed in iOS 5.1

New, 33 comments

A new exploit has been revealed for Safari in iOS 5.1, which can put a fake URL in the address bar while actually directing you elsewhere.

Safari URL exploit
Safari URL exploit

A new vulnerability has been revealed for Safari in iOS 5.1 which makes is possible to put a spoof URL in the address bar to trick users into visiting a potentially dangerous site. According to Major Security, the issue is due to an error with how Safari deals with handling URLs using javascript. The danger is that users can be tricked into revealing sensitive information to the wrong party — for instance, while the address bar may display your bank's URL, you might actually be visiting a malicious site.

Major Security has created a demo that lets you reproduce the issue. By clicking on this link while in mobile Safari, and then hitting the demo button, you'll be transferred to a site hosted by, yet the address bar will still read And even though the issue was discovered on iOS 5.1, we managed to reproduce it while on a device running 5.0.1.

That's not the only problem with the iOS version of Safari, though. Despite the new iPad's higher resolution display, Tom's Hardware has revealed that Safari will still downscale images as it does with older devices. So anytime you view an image larger than 1024-pixels, it will be rescaled in order to keep your browser running smoothly. But this also means that you can't view large-scale images in all their glory on your nice new iPad display.

Apple is reportedly aware of the security issue, so we should expect a fix for that soon, though there's no word yet on the image problem.