Hey Frenzz...
German security researchers say the vulnerability was discovered in the security system for mobile Safari on resolution of the device. In the case of successful operation of criminals can get hold of confidential user data.
Judging from the description, the researchers found an error in the execution of some scripts JavaScript, which could potentially allow a fishinovuyu attack and cause identity theft or redirect users to malicious software supplied with the resource. According to experts, the vulnerability is in the wrong processing function javascript window.open ().
To demonstrate the researchers created a fake page of a legitimate resource (as an example has been chosen "www.apple.com") and posted it on another server, and have developed an experimental model of an exploit. After some manipulation, typing in the address bar of a legitimate link to the resource, the mobile browser in the new window has opened a fake page of the site Apple, on another server, but it remained a legitimate address of the page.
According to the experts (hhhp :/ / threatpost.com/en_us/blogs/ios-javascript-bug-can-lead-spoofed-sites-032312), this defect can be used by attackers to obtain sensitive data and the user does not even suspect a trick, as in the address bar displays the original link. The only way to distinguish a fake from a legitimate resource - is inaccuracy in the implementation of the page. However, if the desired page will be copied exactly, then success is guaranteed for intruders.
A flaw in the security system has been found in recent versions of Safari 5.1 browser for iPhone4, iPhone4S, iPad2 and iPad3, but it is possible, failure may be in other assemblies.
German security researchers say the vulnerability was discovered in the security system for mobile Safari on resolution of the device. In the case of successful operation of criminals can get hold of confidential user data.
Judging from the description, the researchers found an error in the execution of some scripts JavaScript, which could potentially allow a fishinovuyu attack and cause identity theft or redirect users to malicious software supplied with the resource. According to experts, the vulnerability is in the wrong processing function javascript window.open ().
To demonstrate the researchers created a fake page of a legitimate resource (as an example has been chosen "www.apple.com") and posted it on another server, and have developed an experimental model of an exploit. After some manipulation, typing in the address bar of a legitimate link to the resource, the mobile browser in the new window has opened a fake page of the site Apple, on another server, but it remained a legitimate address of the page.
According to the experts (hhhp :/ / threatpost.com/en_us/blogs/ios-javascript-bug-can-lead-spoofed-sites-032312), this defect can be used by attackers to obtain sensitive data and the user does not even suspect a trick, as in the address bar displays the original link. The only way to distinguish a fake from a legitimate resource - is inaccuracy in the implementation of the page. However, if the desired page will be copied exactly, then success is guaranteed for intruders.
A flaw in the security system has been found in recent versions of Safari 5.1 browser for iPhone4, iPhone4S, iPad2 and iPad3, but it is possible, failure may be in other assemblies.
0 comments:
Post a Comment