A newly-discovered mobile Safari web browser vulnerability allows a malicious website to display a URL that is different than the website's actual address, and can trick users into handing over sensitive personal information.



From Apple Insider:

The issue, first discovered by security firm Major Security, is an error in how Apple's mobile Safari app in iOS 5.1 handles URLs when using javascript's window.open() method that can be exploited by malicious sites to display custom URLs.

"This can be exploited to potentially trick users into supplying sensitive information to a malicious web site," Major Security explains, "because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they're visiting another web site than the displayed web site."

  Safari vulnerability in iOS 5.1 allows URL spoofing