November 29, 2010
Identity thieves can hide URLs on the iPhone's limited screen real estate, tricking users into thinking they're at a legitimate site, a security researcher said today. In a pair of blog posts, Nitesh Dhanjani demonstrated how criminals can easily hide the true URL of a site from users by building a malicious Web application.
In a proof-of-concept, Dhanjani showed how legitimate Web applications such as Bank of America's mobile banking application hide Safari's address bar after rendering the page. He speculated that developers use this practice to use as much as possible of the limited screen real estate on mobile devices like the iPhone.
"Note that on the iPhone, this only happens for sites that follow directives in HTML to advertise themselves as mobile sites," said Dhanjani on his personal blog and in an entry on the
SANS Institute's blog.
Identity thieves and scammers could apply the same practice to conceal the actual URL of a fake site they've created and then duped users into visiting, Dhanjani said.
The ability to hide the address bar in iOS, Apple's mobile operating system that powers the
Link Removed due to 404 Error, is by design, noted Dhanjani, who said he had reported the problem to Apple.