iOS 5.1.1 Fixes URL Spoofing Vulnerability in Safari

BY Jason

Published 8 May 2012

Apple has fixed the vulnerability that David Vieira-Kurz of MajorSecurity had discovered last month, which could be exploited to spoof URLs in the address bar.

Malicious websites could make use of the vulnerability to spoof their domain name to a URL the user might trust, and ask for sensitive information like login credentials, credit card numbers etc.

Apple has given David Vieira-Kurz credit for discovering the vulnerability in the support document that provides details about the security issues that have been fixed in iOS 5.1.1, which was released by Apple few hours back.


Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2

Impact: A maliciously crafted website may be able to spoof the address in the location bar

Description: A URL spoofing issue existed in Safari. This could be used in a malicious web site to direct the user to a spoofed site that visually appeared to be a legitimate domain. This issue is addressed through improved URL handling. This issue does not affect OS X systems.

In addition to the Safari vulnerability, Apple has also fixed two WebKit related vulnerabilities in iOS 5.1.1.

[via Cult of Mac]