Security researcher Nitesh Dhanjani has discovered a way that hackers could trick users into visiting fake websites by hiding their URLs. In a proof of concept example, Dhanjani shows users that a web page can display a graphic of a Safari browser window, showing a fake URL. After this page has loaded, Safari’s address bar disappears, leading users to believe that the URL they see in the graphic of the web page is the correct one. Phishing sites could create “pages” like this easily, leading users to believe that they are on valid web sites, and possibly convincing them to enter personal data such as passwords, credit card numbers or more.
One of the main reasons for this activity is the limited amount of screen space on mobile phones such as the iPhone. Safari scrolls up, hiding the address bar after a page has loaded, so users can see the content of web pages, but this activity can mislead users in cases such as the one demonstrated here.
iPhone users should be especially careful when loading pages for banks, web sites where they make purchases, and others where they enter sensitive information, if they have gotten to those sites by tapping a link. When in doubt, swipe up to see the address bar and check that you’re on the site you think you’re on.