David Vieira-Kurz from infosec firm MajorSecurity has discovered a major url spoofing vulnerability in Mobile Safari under the iOS 5.0, 5.0.1 and the latest release 5.1. The problem is the way it handles JavaScript’s window.open() function.
This exploit can be put into use by phishing sites to mask the fake page with the real websites URL. These is really no way you are able to tell the difference, therefor the user will submit all info to the phishing site.
“This can be exploited to potentially trick users into supplying sensitive information to a malicious web site,” Vieira-Kurz explained, “because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they’re visiting another web site than the displayed web site.” David Vieira-Kurz explains.
Apple has not patched this yet, but it is advised to apply the patch as soon as it is released.