Scammers can hide fake URLs on the iPhone, says researcher

Editor’s Note: This story is excerpted from Computerworld. For more Mac coverage, visit Computerworld’s Macintosh Knowledge Center.

Identity thieves can hide URLs on the iPhone's limited screen real estate, tricking users into thinking they're at a legitimate site, a security researcher said today.

In a pair of blog posts, Nitesh Dhanjani demonstrated how criminals can easily hide the true URL of a site from users by building a malicious Web application.

In a proof-of-concept, Dhanjani showed how legitimate Web applications such as Bank of America's mobile banking application hide Safari's address bar after rendering the page. He speculated that developers use this practice to use as much as possible of the limited screen real estate on mobile devices like the iPhone.

"Note that on the iPhone, this only happens for sites that follow directives in HTML to advertise themselves as mobile sites," said Dhanjani on his personal blog and in an entry on the SANS Institute's blog .

Identity thieves and scammers could apply the same practice to conceal the actual URL of a fake site they've created and then duped users into visiting, Dhanjani said.

The ability to hide the address bar in iOS, Apple's mobile operating system that powers the iPhone, is by design, noted Dhanjani, who said he had reported the problem to Apple.

"I did contact Apple about this issue and they let me know they are aware of the implications but do not know when and how they will address the issue," said Dhanjani.

He suggested that Apple modify iOS to prevent Web applications from hiding the URL.

"Given how rampant phishing and malware attempts are these days, I hope Apple chooses to not allow arbitrary Web applications to scroll the real Safari address bar out of view," he said. "Perhaps Apple may consider displaying or scrolling the current domain name right below the universal status bar, i.e. below the carrier and time stamp. Positioning the current domain context in a location that is unalterable by the rendered Web content can provide the users similar indication that browsers such as IE and Chrome provide by highlighting the current domain being rendered."

Dhanjani is probably best known as the security researcher who uncovered an Apple Safari vulnerability in 2008 that could be exploited with "carpet bomb" attacks, a term he used because the attacks littered the Windows desktop with malware files.

Although Apple initially told Dhanjani that it didn't consider the problem a security issue, it later issued a patch after others, including Microsoft, told users to stop running Safari.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is .

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

At a Glance
  • Macworld Rating

    A gorgeous display, high-quality camera, and fast processor are the best reasons to buy Apple's latest iPhone.

    MSRP: $199 (with two-year contract); varies for other levels of AT&T contract commitment


    • Gorgeous high-resolution screen
    • Fast A4 processor with lots of RAM
    • Easy-to-use FaceTime videoconferencing
    • 5-megapixel camera takes great stills and good HD video
    • Longer battery life than previous iPhones
    • Support for iOS 4 features, including multitasking


    • Hand placement can disrupt cellular signals
    • Glass front and back could prove overly fragile
    • Not able to play back HD video to external display

Subscribe to the Best of Macworld Newsletter