A Simple Phishing Vulnerability in Mobile Safari

I recently put together a demo of a very simple, yet very convincing, phishing attack targeting mobile Safari:

It works by first checking the user agent and determining what kind of device the request is being made on. If the device isn’t an iPhone, the user is simply forwarded to PayPal.com and will never know the difference. But if the request is made from an iPhone, the user gets the special phishing login screen which does the following:

  1. Shows an image of Safari’s location bar at the top which implies that the user is on PayPal.com.
  2. Scrolls the actual location bar off the screen quickly enough that very few people will notice it.

Since this attack targets mobile devices, it’s pretty safe to assume that many (probably most) users won’t be paying very close attention, and will likely not notice the actual location bar being hidden. The effect is so fast that even users who do notice probably won’t think anything of it.

I really like that mobile Safari lets you hide the location bar in order to have more pixels for actual content, but perhaps there’s a way to tweak the design in such a way as to make malicious applications of this feature less feasible.