Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Scammers Can Hide Fake URLs On the iPhone

Soulskill posted more than 3 years ago | from the don't-believe-everything-you-see dept.

Iphone 68

CWmike writes "Exploiting an Apple interface design, identity thieves can hide URLs on the iPhone's limited screen real estate, tricking users into thinking they're at a legitimate site, a security researcher said on Monday. Nitesh Dhanjani demonstrated how criminals can easily hide the true URL of a site from users by building a malicious Web application. 'Note that on the iPhone, this only happens for sites that follow directives in HTML to advertise themselves as mobile sites,' said Dhanjani on his personal blog and in an entry on the SANS Institute's blog. The ability to hide the address bar in iOS is by design, noted Dhanjani, who said he had reported the problem to Apple. 'I did contact Apple about this issue and they let me know they are aware of the implications but do not know when and how they will address the issue,' he said."

cancel ×

68 comments

Sorry! There are no comments related to the filter you selected.

airr (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#34381418)

first post

And now for something completely different: (5, Insightful)

Aerorae (1941752) | more than 3 years ago | (#34381442)

In other news, Apple tells the world it has the most perfectly designed mobile devices in the world. No in all honesty 90% of web surfers never look at the address anyways. They click a link and expect that it takes them where it says it will. So I wouldn't call this an Apple issue, as they designed their interface with this fact in mind, so much as a consequence of user behavior and a company that is happy to oblige to supporting bad habits.

Re:And now for something completely different: (0, Redundant)

JesseDegenerate (936699) | more than 3 years ago | (#34381490)

Android's browser hides it's url after the page is loading by default. You can never see the full URL on smartphones anyway.

Re:And now for something completely different: (2, Interesting)

robot256 (1635039) | more than 3 years ago | (#34381584)

Half the time you can't see the full url on a widescreen monitor. But at least you can always see what domain you are on (barring Unicode homograms), I would like it if there was a popup in the bottom of my phone browser showing just the domain--maybe even with Unicode spoofs highlighted. They could really innovate with that feature. Or they could leave their "shiny" interface the way it is and not worry about people being stupid.

I'm assuming it's possible to turn on the address bar, right? Because if they actually prevent people from trying to be smart about it, THEN they are being unreasonable.

Re:And now for something completely different: (2, Informative)

node 3 (115640) | more than 3 years ago | (#34384416)

Half the time you can't see the full url on a widescreen monitor. But at least you can always see what domain you are on (barring Unicode homograms), I would like it if there was a popup in the bottom of my phone browser showing just the domain--maybe even with Unicode spoofs highlighted. They could really innovate with that feature. Or they could leave their "shiny" interface the way it is and not worry about people being stupid.

This isn't about obfuscating the URL, it's about hiding the address bar (on the iPhone, what it does is push the address bar above the screen, kind of like how an anchor tag takes you to a specific spot in a page). Then it puts an image at the top that looks like the address bar and that image can have any URL it wants.

I'm assuming it's possible to turn on the address bar, right? Because if they actually prevent people from trying to be smart about it, THEN they are being unreasonable.

At least in the example given, it doesn't turn off the address bar, it just loads the page with it pushed off the page.

I just tried the test in the story, and it's rather clever, but all you have to do is scroll up to verify the site. I can definitely see how it's going to be something Apple isn't going to have an easy time figuring out how to fix because it's not a technological issue, it's a social engineering issue.

Re:And now for something completely different: (1)

andymadigan (792996) | more than 3 years ago | (#34381702)

It doesn't hide it when the page is done loading, only when you scroll past the top of the page. If you scroll up to the top it should always show (at least it has for me on the "with Google" version for 1.0, 1.5, 1.6, 2.0, 2.1 and 2.2).

Re:And now for something completely different: (2, Insightful)

wizardforce (1005805) | more than 3 years ago | (#34381654)

There's a difference between allowing for ignorance and catering to it.

Re:And now for something completely different: (2)

Aerorae (1941752) | more than 3 years ago | (#34382016)

And what is truly amusing is still how much I love my iPhone.

Re:And now for something completely different: (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#34382728)

Please provide us with said link where apple said it has the 'most perfectly designed mobile devices in the world'?

Thought so...

Re:And now for something completely different: (0, Offtopic)

zhidian2011 (1936436) | more than 3 years ago | (#34382870)

YOU MUST NOT MISS IT!!! -------------- http://www.ftoto.com/ [ftoto.com] ----------- a leading worldwide wholesale company (or ucan say organization). We supply more than 100 thousand high-quality merchandise and famous brand name products all at wholesale prices. -------------- http://www.ftoto.com/ [ftoto.com] -----------

Re:And now for something completely different: (-1, Troll)

randysmithq (1949958) | more than 3 years ago | (#34384218)

I think it is very well written and i like this articles and every word is accurate and i personally like iphone and i always use it. Get Slim Cleanse [getslimcleanse.com]

What? (0)

Anonymous Coward | more than 3 years ago | (#34381532)

Hasn't Apple banned scammers from getting into the iPhones yet?

Impostor! (1)

WrongSizeGlass (838941) | more than 3 years ago | (#34381544)

Why, he's pretending to be another site! The audacity!

Fake sites, scam sites, trickery and shenanigans abound. Welcome to the intertubes.

Re:Impostor! (1)

andybak (542829) | more than 3 years ago | (#34386556)

You haven't really thought about this issue in any depth, have you? Still. I'm glad you got that impulse to comment on something you don't really care about out of your system.

Yeah... (3, Insightful)

The MAZZTer (911996) | more than 3 years ago | (#34381558)

This is why modern browsers ignore such directives. Remember the window.open parameter that allowed you to hide the url bar? Yeah, only IE8 respects that switch now, all modern browsers ignore it and show the bar anyway.

Re:Yeah... (1)

Gadget_Guy (627405) | more than 3 years ago | (#34382402)

Yeah, only IE8 respects that switch now, all modern browsers ignore it and show the bar anyway.

One of the security options in IE is "Allow websites to open windows without address or status bars" and it is disabled by default.

Still an option, though (1)

zooblethorpe (686757) | more than 3 years ago | (#34382498)

One of the security options in IE is "Allow websites to open windows without address or status bars" and it is disabled by default.

The fact that this even exists as an option is ... interesting, shall we say.

Cheers,

Re:Still an option, though (1)

LynnwoodRooster (966895) | more than 3 years ago | (#34382756)

Yes, choice sucks... There should only be one possible option for all situations, because if it doesn't work for you then it won't work for anyone else.

Why is hiding URL bar a useful choice? (0)

Anonymous Coward | more than 3 years ago | (#34383244)

As an end user, I'm happy with the choices presented by many software options -- so long as those options do not actually impede my use of the software. Hiding the URL bar is one option for which I fail to see any use that is not harmful to the end user.

Choice is generally good, but choice for choice's sake can often lead to problems. Not allowing the browser to hide the URL bar could be likened to not allowing factory floor workers to wear neckties or other dangling items of clothing or jewelry. While technically limiting choice, not imposing such restrictions leaves browser users open to very basic phishing and other attacks, and factory workers open to being mangled by their machinery. In both cases, removing the choice from users, by making it for them instead, improves safety.

Sometimes, having a choice made for you by others who know better is actually a good thing.

Cheers,

Re:Why is hiding URL bar a useful choice? (0)

Anonymous Coward | more than 3 years ago | (#34384660)

how bout internal company web applications running on systems with tiny screens where every last pixel of screen real-estate is needed? Do you now see how your "failure to see any use" in this scenario is due to your limited/narrow minded view?

Re:Why is hiding URL bar a useful choice? (0)

Anonymous Coward | more than 3 years ago | (#34386270)

Kiosks running local sites, too. You might even intentionally want to hide the url in that case, since it's ugly, confusing, and may reveal something you don't want shown. I'm actually about to use the option in a kiosk project I'm working on, and thus have to use IE instead of Firefox because in this case IE provides more options.

Re:Still an option, though (1)

Gadget_Guy (627405) | more than 3 years ago | (#34382910)

The fact that this even exists as an option is ... interesting, shall we say.

If you think that is interesting then your mind is going to be blown when you eventually learn of about:config in Firefox. There are options for EVERYTHING there!

Seriously, I'm not sure why you think it is interesting. Microsoft changed the behaviour of the browser, but kept an option around for people who need or prefer the old ways. By having the option in the security tab, you also have the ability to having different settings in each zone so that Intranet applications can still hide the browser cruft. Microsoft has stuffed up a lot of things in IE over the years, but this doesn't seem particularly controversial.

Hiding URL bar not a possibility in FF (1)

zooblethorpe (686757) | more than 3 years ago | (#34383188)

I never understood why MS ever thought it would be useful -- for the end user -- to hide the URL bar. The *only* use cases I can think of are devious and unhelpful to the end user.

And thanks for about:config, but that comes as no news. It also bears mentioning that Firefox doesn't actually have options for "everything" per se -- I cannot find any option to hide the URL bar, for instance, but maybe I'm just not seeing it.

Cheers,

Re:Hiding URL bar not a possibility in FF (1)

redJag (662818) | more than 3 years ago | (#34383336)

Perhaps for computers that are shipped as appliances and use a web app to configure them. The company I work for does touchscreen kiosks that run Windows and would probably be interested in turning that ability on. That is a slim use case, for sure, but a valid one :)

Separate build for appliances? (1)

zooblethorpe (686757) | more than 3 years ago | (#34383462)

Wouldn't a separate build be more appropriate in such a case? Much of the functionality in a full-on desktop install of a browser would only eat up valuable space in an appliance environment.

Then again, this is Microsoft, who seem to think that Windows is great on appliance machines...

Cheers,

Re:Separate build for appliances? (1)

Gadget_Guy (627405) | more than 3 years ago | (#34384732)

Why should they have to maintain a separate build just for the sake of not having a single checkbox in the configuration options? Surely not to save space, because it wouldn't take much code to check a setting before adding the address and status lines.

It is not even one of the more esoteric options on offer. Even a novice would be able to work out what it means.

You're thinking like a geek (1)

zooblethorpe (686757) | more than 3 years ago | (#34385390)

Even a novice would be able to work out what it means.

Seriously, you're thinking like a geek. Mind you, I don't mean that in a bad way. But I do mean that someone with your perspective is not someone who would most likely be disadvantaged by someone else hiding the URL bar, as you'd be wary and experienced enough to notice, and wonder what was up.

Why should they have to maintain a separate build just for the sake of not having a single checkbox in the configuration options? Surely not to save space, because it wouldn't take much code to check a setting before adding the address and status lines.

Redjag suggested that the option might be useful for appliance purposes. My reply about separate builds was precisely for this context -- so far the only useful and non-devious one mentioned for hiding the URL bar -- and in the context of an appliance installation, a separate build that saves space would indeed be very much desired. And by saving space, I'm referring to much more than just code to check a setting before adding the address and status lines: an appliance build, with space-savings in mind, would be much more bare-bones -- no need for extensions, no need for bookmarks, possibly even no need for JavaScript.

Is there any utility for end users of a full-on desktop browser installation for an option to hide the URL bar? I see plenty of utility for others -- megacorps, phishers, and assorted other ne'er-do-wells -- but I can think of no compelling use for regular old end users.

Cheers,

Re:You're thinking like a geek (1)

Gadget_Guy (627405) | more than 3 years ago | (#34386016)

Seriously, you're thinking like a geek. Mind you, I don't mean that in a bad way. But I do mean that someone with your perspective is not someone who would most likely be disadvantaged by someone else hiding the URL bar, as you'd be wary and experienced enough to notice, and wonder what was up.

Yes, but by the same reckoning only a geek would go into the advanced options of the security settings in the first place. Considering that the facility is switched off by default, then you are worried about nothing.

a separate build that saves space would indeed be very much desired

I have used IE in kiosk mode to knock up an info system for customers. At no time was there a need for a cut down build of Internet Explorer. If you are using a system that can run Windows, then you can easily handle the normal browser code being loaded even if it isn't used.

Is there any utility for end users of a full-on desktop browser installation for an option to hide the URL bar? I see plenty of utility for others -- megacorps, phishers, and assorted other ne'er-do-wells -- but I can think of no compelling use for regular old end users.

I once wrote an HTML application [wikipedia.org] (see also HTA [microsoft.com] ) to categorise and sort my travel photos into my journal system. It was quite easy to do, and it didn't require all the heavy coding to do the graphics that was required by other languages at the time. It was quite convenient to make a program that used a completely borderless, full screen window in an interpreted language that required no additional install on a Windows computer.

I have also used pop up windows without an address line on some Intranet applications, although when they started displaying with the URL is wasn't a deal-breaker to be bother reconfiguring everyone's systems to hide it.

Re:Yeah... (1)

node 3 (115640) | more than 3 years ago | (#34384490)

That's not true. Even Firefox doesn't ignore it. Firefox still shows the URL, but hides the rest of the address bar. Safari hides the address bar, but you can show it with CMD-L. I don't have Chrome handy, so I can't test that.

apple reference is unnecessary (1)

MichaelKristopeit212 (1946196) | more than 3 years ago | (#34381572)

microsoft's interface design allows websites to popup alert dialogs that match the OS interface and trick users into installing malware.

so "scammers exists" is basically the meat of the claims of the story... this is news?

slashdot = stagnated

Re:apple reference is unnecessary (1)

uniquename72 (1169497) | more than 3 years ago | (#34382194)

Since the story (the one linked -- not the one about similar problems you've concocted in your head) is entirely about the iPhone, yes, the Apple reference is necessary.

Re:apple reference is unnecessary (1)

MichaelKristopeit212 (1946196) | more than 3 years ago | (#34382444)

to further the obvious implications of my point: THE STORY IS UNNECESSARY.

a solution was not given because no workable solution exists without trusting an all powerful 3rd party entity to decide what is safe for you.

all interfaces are subject to exploitation. devices can fit inside of an ATM card slot to scan cards... as long as a user expects to put their card in a slot, there is no defense other than perusing and prosecuting offenders.

this is not news or security research... this is ignorantly hypocritical marketeering.

Re:apple reference is unnecessary (0)

Anonymous Coward | more than 3 years ago | (#34393044)

So is that why all of IE's title bars (non-hideable, from what I understand) have " - Internet Explorer" tacked on to the end. Damn, I guess that's why they let that glaring security flaw through.

It's even harder to read the URL... (0)

Anonymous Coward | more than 3 years ago | (#34381578)

...while I'm driving.

Whose fault is it? (0, Troll)

fermion (181285) | more than 3 years ago | (#34381598)

The iPhone was meant to be able to browse the whole wave, with the exception of Flash pages. So why to banks and vendors push the iPhone to a mobile site? Why don't they have a uniform site that can be accessed by any browser? Why do the engage in less secure behavior? For example, Wells Fargo encourages users to sign in on the home page(which is lately secure), uses interstitials at sign in, and also has a mobile site. Much of the lack of security comes from the habits encouraged by the financial institution, and the browser can only do so much.

For instance, by allowing sign in on an home page, which at one was not secure, the user got used to not looking for the lock. Therefore hackers could register wellfargo.com, or wellsfargo.net, or a million variations and harvest usernames and passwords. Clearly URL spoofing did not play a part. Few people look closely at the URL.

Which is to say that Safari allowing URL spoofing is a concern, but I do not see it as dramatic. The URL is not really visible all the time n the iPhone. My real concern is that banks, and stores such as Amazon, have mobile sites instead of just designing one site that will work for all users. This creates a precendent that the look and feel of a vendor is not unifrom, and provides opening for those that want to spoof sites.

Re:Whose fault is it? (2, Insightful)

0123456 (636235) | more than 3 years ago | (#34381724)

Therefore hackers could register wellfargo.com, or wellsfargo.net, or a million variations and harvest usernames and passwords. Clearly URL spoofing did not play a part. Few people look closely at the URL.

How would a lock icon have helped? If the phishers own a similar domain name they can get an SSL certificate and there'll be a nice fancy lock icon showing that the connection is secure... it's just not going to the site you think it's going to.

Re:Whose fault is it? (0)

Anonymous Coward | more than 3 years ago | (#34381906)

On IE, which was and still is the primary browser for many unsophisticated users, a lock icon appears in the browser area out of the control of the web site. It appears when a secure site is displayed. At one time users were told to look for the lock to make sure a web page was secure. This was because most unsophisticated browser really can't hack a URL. Due to lack of security protocol, this rule could not be applied to WF. It is one many security compromises banks have made over the years that has lead to a situation of general insecurity, which merely displaying a name on the URL is not going to solve. For instance, on the mobile the URL for the bank under discussion is wf.com, which is something a hacker might do.

Re:Whose fault is it? (1)

hellkyng (1920978) | more than 3 years ago | (#34381812)

The way mobile phones are, it isn't possible to design a single site that will work for all devices. Sure an iPhone might be able to handle the full website, but even a year or two old blackberry seriously chokes on full bank websites. There are hundreds of variations of web enabled phones that can't even function on a full commercial website so it really isn't possible to design one. A number of banks even have multiple mobile sites depending on your device. So you get a more rich site with an iPhone for example than a blackberry. The security issue here is that developers aren't considering application security best practices for mobile applications and devices. As far as I can tell we learned very little from past mistakes. Its going to be a harsh lesson as mobile phones are increasingly targeted by the baddies.

Re:Whose fault is it? (0)

Anonymous Coward | more than 3 years ago | (#34382766)

Maybe if they didn't use javascript everywhere and had multiple alternative stylesheets, we wouldn't have this issue nearly as much...

Re:Whose fault is it? (1)

JesseDegenerate (936699) | more than 3 years ago | (#34381852)

Really? can't tell the difference between your 22" widescreen monitor and your 3.6" or w/e iphone?

a touch interface and a mouse / keyboard driven one? Just seems a little ridiculous..

Weak (0)

Anonymous Coward | more than 3 years ago | (#34381610)

Screenshots of ui elements have always been an avenue for web predators. It's not an iPhone unique problem. Although, they could put a user-unique element in the address bar to fight it (an icon or a condensed username).

No "Hover" (0)

bradgoodman (964302) | more than 3 years ago | (#34381816)

On most browsers/clients/systems - you can "hover" over a hyperlink and see the URL it's going to. Not so with iOS

Re:No "Hover" (3, Informative)

JesseDegenerate (936699) | more than 3 years ago | (#34381834)

How is that? When i press on a link and hold down, on my iphone, it gives me the full address, the option to copy the link, open the link, or open in a new page. I guess i'm special!

Re:No "Hover" (4, Insightful)

farnsworth (558449) | more than 3 years ago | (#34381858)

On most browsers/clients/systems - you can "hover" over a hyperlink and see the URL it's going to. Not so with iOS

If you touch-and-hold a url in mobile safari, you are presented with popup that contains the complete url.

I submitted this to slashdot months ago. :-/ (1)

mootcycle (1949844) | more than 3 years ago | (#34381850)

I'm just complaining, but I tried to publicize this through slashdot back in october and was ignored. http://twitter.com/mootcycle/status/27965429016/ [twitter.com] I also made the point that mobile browsers don't display enough of the url. accounts.google.com.evil-lemur.com only shows the first bit of the URL. Oh well. I suppose I should have tried harder to get someone to pay attention.

Re:I submitted this to slashdot months ago. :-/ (1)

NicknamesAreStupid (1040118) | more than 3 years ago | (#34382000)

"Just because you have foresight, initiative, and relevance, it doesn't mean you can't be shamelessly ignored," Harry Markopolos.

Re:I submitted this to slashdot months ago. :-/ (1)

mootcycle (1949844) | more than 3 years ago | (#34382034)

Yeah, I can still feel annoyed about it. ;-) Oh well.

Nasty, but not a "new" problem (2, Insightful)

ekhben (628371) | more than 3 years ago | (#34381988)

Web security should never depend on a user recognising a specific pattern of pixels, either by determining whether that vertical bar with some marks at the top and bottom is a "1" or an "l" or by figuring out if the displayed UI element is part of the web page or not.

And, if your bank's website doesn't use two-factor authentication, disable it now.

why? /etc/hosts is enough (1)

kentsin (225902) | more than 3 years ago | (#34382278)

STUPID all of us.

Still wouldn't fix everything (1)

sootman (158191) | more than 3 years ago | (#34382902)

"Given how rampant phishing and malware attempts are these days, I hope Apple chooses to not allow arbitrary Web applications to scroll the real Safari address bar out of view," he said. "Perhaps Apple may consider displaying or scrolling the current domain name right below the universal status bar, i.e. below the carrier and time stamp. Positioning the current domain context in a location that is unalterable by the rendered Web content can provide the users similar indication that browsers such as IE and Chrome provide by highlighting the current domain being rendered."

Even if the true URL were visible it still wouldn't help much--people would still visit www.bankofamercia.com or www.bankofamerica.evilsite.com or www.bankofamericaonline.net or any one of a million other correct-looking domains.

"I hope Apple chooses to not allow arbitrary Web applications to scroll the real Safari address bar out of view"

Yes, let's make everyone's experience worse just to help a small percentage of people who couldn't use the information shown to help themselves anyhow. No, thanks.

Exploit variant (2, Interesting)

sootman (158191) | more than 3 years ago | (#34382956)

An even better way to take advantage of this exploit: Once you've got your page that hides the address bar, at the top of the page show a graphic of Safari's address bar with a totally legit URL. You could even make it a form field so people could click into it and type, and if they click 'Go' have it take you to whatever site they asked for. (Or not.)

Re:Exploit variant (1)

IAmGarethAdams (990037) | more than 3 years ago | (#34385932)

I'm not entirely sure how showing "a graphic of Safari's address bar with a totally legit URL" (which you suggest) is "even better" than showing a graphic of Safari's address bar with a totally legit URL (which is what the article describes)

Re:Exploit variant (1)

sootman (158191) | more than 3 years ago | (#34393554)

Ah. I found my problem -- two TFAs to read. :-) It's not specified in the first one.

I guaran-goddamn-tee you ... (0, Offtopic)

Daniel Dvorkin (106857) | more than 3 years ago | (#34383286)

... that Chrome's protocol-hiding will cause similar problems one of these days. I don't know how, I don't know when, I don't know where -- but I do know that someone's going to use it to cause harm.

Re:I guaran-goddamn-tee you ... (3, Funny)

Lehk228 (705449) | more than 3 years ago | (#34383904)

by tricking you into FTPing into your bank?

Not much of a issue (0, Offtopic)

huzur79 (1441705) | more than 3 years ago | (#34383492)

Seems like no one really read the article. Its not a problem with Safari. If a user opens a web page in Safari they dont lose the URL bar. Its in app access to browsing using API's to hide the URL after a page in a App has loaded. Users only get to see it for a few seconds. I still think its a non issue because Apps are so controlled on Apple it would be a stroke of luck for some one to get a App that did abuse that to steal peoples info, it would be busted quickly if it did some how get pass that App Approval nazi's and quickly pulled. If such a rare thing did happen it could spark Apple to use the auto remove back door of any apps of that nature installed for the first time. Sometimes its great using a device that is highly controlled because I have no reason to worry about this at all with the current state of App approvals. The flaw would be horrible on a more open less controlled market space though.

Re:Not much of a issue (1)

BasilBrush (643681) | more than 3 years ago | (#34383626)

No this is not about apps from the App Store. This is about mobile web applications. Applications that run in Mobile Safari on a web site. AJAX, etc.

Re:Not much of a issue (1)

huzur79 (1441705) | more than 3 years ago | (#34383682)

I stand corrected, I was flat out wrong... I read the story on MacNN first this morning and they have it wrong or I read it wrong. My apologies.....

Feature (2, Insightful)

pgn674 (995941) | more than 3 years ago | (#34384700)

I actually consider this a feature, not a bug.

I use Google Reader a ton in my iPod Touch's Safari mobile browser, and that site does the same thing. It and other site that use this feature don't actually hide the URL bar permanently. Instead, the URL bar always acts like it's part of the top of the web page once the page is fully loaded and rendered (during loading and rendering, the bar displays, no matter what). So if you scroll down the page, the bar scrolls away. Scroll to the top of the page, and the bar scrolls into view.

With this feature, a site can ask the mobile Safari web browser to artificially simulate a scroll of the height of the bar. This is very nice, as it lets the web page have more assured screen space for its initial view. When you use a site like Google Reader a lot on your iPod Touch, it's nice to have this large initial view.

Instead of removing this feature, if something is to be done about the risk of a website using a visual trick against a user, I'd rather that a mark of some sort be placed on the status bar at the top, beside the clock, radio strength, battery charge, etc. This way, if a user sees a URL bar and that mark at the same time, then the URL bar he sees is obviously a fake.

Qshit (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#34385318)

Conglomerate in the the last night ofD be in a scene and survival prospects than this BSD box, fun to be again. as little overhead

MOre coffin nails (0)

Anonymous Coward | more than 3 years ago | (#34386050)

Another nail in the coffin of the freakin shit tard jerk off iPhone shite container apple need nuking off the face of the planet they are even worse than that bunch of idiots at M$ Corp and thats saying something Jobsy FOAD do the world a favour ..

Android too (3, Informative)

L4t3r4lu5 (1216702) | more than 3 years ago | (#34386366)

The stock Android browser hides the address bar, so you need to scroll up slightly to see it. That's all that this attack is relying on. My HTC Desire does it.

This isn't an Apple problem, this article is an Apple-bashing troll. Kill it.

Re:Android too (1)

andybak (542829) | more than 3 years ago | (#34386710)

I don't know where you got the impression that this was Apple-bashing. They failed to make the connection with other platforms but in my view the Apple bashing was all in your mind.

Re:Android too (2, Insightful)

L4t3r4lu5 (1216702) | more than 3 years ago | (#34386820)

They don't fail to make the connection with other platforms, they exclude other platforms totally and focus only one one, specifically. When there are other devices, on the mass market, which behave in exactly the same way, yet the article makes no reference to them whatsoever, the article is certainly biased.

FWIW, I'm not an Apple fan. At all. I just don't believe in spreading FUD, no matter the target. This is a feature to maximise screen space when browsing, which can be abused by imitating the URL bar with an image at the top of the page. It happens on at least Android and Apple devices. They should both be mentioned.

Re:Android too (0)

Anonymous Coward | more than 3 years ago | (#34388612)

My Opera Mobile (delivered by my operator on my HTC HD2) also slides the address bar away once the page has loaded. I would notice the trick mentioned though, because the image would not slide away. Also, on every clickthrough to a new page, the address bar briefly reappears. I believe that between the Iphone browser, the Android Browser and Opera Mobile we have at least 90% of the mobile browser market displaying this behavior (don't know about Nokia browsers).

Re:Android too (0)

Anonymous Coward | more than 3 years ago | (#34393306)

Most other mobile devices have more than one button off the screen. For example, all Android phones have a menu button that if you press in the browser, it brings up the menu and the URL bar. BB's and WinMo's (7) usually have full keyboards, and can (likely) bring up the URL bar guaranteeing non-spoofability. Websites can't exactly fake reprogramming a hardware button.

Theoretically, you can - a well crafted HTML5 site - simulate the entire browser UI. If it respects Javascript based page positioning, you can guarantee the user never gets back to the top of the page. Done well enough, you could even have the side scroll bar (if there is one) mimic the real UI.

So in this sense, you're right and wrong at the same time. APL phone is the only major phone out there right now without a method that you can guarantee the URL bar you see is the real URL bar with a touch of a button or two.

What?!? (1)

Dretep (903366) | more than 3 years ago | (#34393946)

You mean there isn't an App for that?
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?