In a pair of blog posts, Nitesh Dhanjani demonstrated how criminals can easily hide the true URL of a site from users by building a malicious web application.
In a proof-of-concept, Dhanjani showed how legitimate Web applications such as Bank of America's mobile banking application hide Safari's address bar after rendering the page. He speculated that developers use this practice to use as much as possible of the limited screen real estate on mobile devices like the iPhone.
"Note that on the iPhone, this only happens for sites that follow directives in HTML to advertise themselves as mobile sites," said Dhanjani on his personal blog and in an entry on the SANS Institute's blog .
Identity thieves and scammers could apply the same practice to conceal the actual URL of a fake site they've created and then duped users into visiting, Dhanjani said.
"I did contact Apple about this issue and they let me know they are aware of the implications but do not know when and how they will address the issue," said Dhanjani.
He suggested that Apple modify iOS to prevent web applications from hiding the URL.
"Given how rampant phishing and malware attempts are these days, I hope Apple chooses to not allow arbitrary Web applications to scroll the real Safari address bar out of view," he said. "Perhaps Apple may consider displaying or scrolling the current domain name right below the universal status bar, i.e. below the carrier and time stamp. Positioning the current domain context in a location that is unalterable by the rendered Web content can provide the users similar indication that browsers such as IE and Chrome provide by highlighting the current domain being rendered."
Dhanjani is probably best known as the security researcher who uncovered an Apple Safari vulnerability in 2008 that could be exploited with "carpet bomb" attacks, a term he used because the attacks littered the Windows desktop with malware files.
Although Apple initially told Dhanjani that it didn't consider the problem a security issue, it later issued a patch after others, including Microsoft, told users to stop running Safari .