> The proof-of-concept invites users to visit what appears to be the Daily Mail website
And they're sending this Guardian-reading iThing owners? I guess that's called deliberately making sure your PoC is safe.
A recently published exploit for the Safari browser demonstrates a URL spoofing mechanism which might convince users they are visiting a legitimate website, when they are actually visiting another site which may be phishing their details. Deusen researchers have disclosed a vulnerability which may be exploited by hackers to …
This post has been deleted by its author
This post has been deleted by its author
For anyone who can't try this, at first sight, there are a few visible clues.
Firstly, the correct URL is show before the spoofed one. Quite obvious when loaded direction, but probably not noticeable if loaded in background or background tab.
Secondly, there is no icon. I don't know if this is an intrinsic issue with the spoof.
Thirdly, there is a consistent flicker at the left of the address field where the icon would go, looks like maybe there is some script constantly overwriting the icon.
It would be interesting to know if this worked with HTTPS sites.
So the answer would seem to be to stay away from this insidious "Website A" at all costs.
Or not to use the Safari browser of course. Speaking for my own experience using it on an iPad Air with an intermittent internet broadband connection (using it on my train commute) it is much less robust in terms of being able to cope with the webs going away and then coming back after a "post" has timed out than my browser of choice. Firefox over WIn7 has no problem with the same scenario.
Trying to edit a "favorite" today had me snarling in rage as numerous attempts failed to update the bloody thing. I ended up deleting it in the end and starting over from scratch. Hands down the worst f*cking browser/platform combination I've ever used.
On the Safari browser on iOS I find it very annoying the address bar doesn't just show the actual address you're on. Instead their supposed security shows the name of the site instead so you have to trust they are correct. Just leave the original address in there I'll take the responsibility of making sure I'm on a genuine site.