Earlier today, Apple released a new version of its mobile software: iOS 5.1.1. The update includes a number of bug fixes, and also apparently contains a patch for the dangerous URL spoofing vulnerability in mobile Safari.

We told you about the exploit, discovered by the folks at Major Security, back in March of this year. It allows web pages to spoof URLs in Safari’s address bar, leading users to believe they’re on a different website…

Apple explains the fix on its iOS 5.1.1 security support page:


Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2

Impact: A maliciously crafted website may be able to spoof the address in the location bar

Description: A URL spoofing issue existed in Safari. This could be used in a malicious web site to direct the user to a spoofed site that visually appeared to be a legitimate domain. This issue is addressed through improved URL handling. This issue does not affect OS X systems.”

Apple properly credits the discovery of the vulnerability to David Viera-Kurz of Major Security. Viera-Kurz was the first to bring up the issue, publishing an extensive blog post and even creating a working demo of the bug in action.

[Cult of Mac]

  • Sorry, I’m a bit simple when it comes to things about this. If we visit these URLs, what happens to us/our phones?
    Again, sorry for sounding uneducated about this.

    • Anonymous

      They could make it look exactly like a legitimate website even one that already exists like apple or facebook and trick you into entering your username and password giving them access to your account.

      • Ok, but this doesn’t count for using the actual app, right? I mean, I never use FB through safar, i only use the FB app.
        Sorry, again.

      • Actually, I’m not so sure about this. I think it applies to all apps using WebView, like Twitter apps do when you tap on a link. Safari uses WebView itself, so unless the vulnerability is a problem with the actual Safari app (after all it spoofs Safari’s adress bar), I think it affects every app that can display websites when you click on a link.

        Please don’t quote me on that though 😉

      • Anonymous

        You’ll be fine with legitimate apps, because they’ll direct you to the correct site.
        The problem comes when you clink a dodgy hyperlink.

  • Ok, thanks guys! Things are a clearer now.