• On MP3.com: Free music videos
advertisementAT&T Tech Support 360
April 18, 2008 12:21 PM PDT

Researcher: Wii and iPhone browsers could allow phishing

Posted by Robert Vamosi

In a paper (PDF) presented at the Usability, Psyschology, and Security Conference 2008 in San Francisco, researchers from the University of California at Davis warned that browsers within popular electronic gadgets often eliminate important security features available on desktop browsers.

Researchers Yuan Niu, Francis Hsu, and Hao Chen looked at the Mobile Safari browser in Apple iPhone, as well as the Opera browser included in the Nintendo Wii and DS gaming systems. In general, they cited the reliance on screen typing as a deterrent to typing in known URLs. They said users are more likely to click on URLs presented in an e-mail.

They also said reduced screen sizes tend to force the address bar off the screen. On the Nintendo DS, only the first 22 characters display. They gave an example of a page called www.bankofamerica.com.phishydomain.com, which would be truncated to simply www.bankofamerica.com.

On the iPhone, the researchers said a simple ScrollTo() JavaScript could knock the address bar off the Safari screen. In the paper, they gave an example in which JavaScript directs the page to load somewhere in the middle, forcing the address bar off the top of the page.

Even when the address bar is visible, the researchers were able to use JavaScript to overwrite the bogus address with a more legitimate address. The overwrite trick could also lead the user into thinking a site was Secure Sockets Layer (SSL)-protected when it was not.

On the Nintendo Wii, the researchers found that the URL bar disappears when the page is loaded.

The researchers state that porting the traditional browser to a mobile device requires some foresight, and they suggest that even built-in features within browsers are ignored by users. They suggest instead that vendors use a proxy to filter out phishing before routing the pages to the devices.

Topics:

Security

Tags:

security,

Web browser,

Safari,

Opera

Bookmark:
Digg
Del.icio.us
Reddit
Recent posts from Defense in Depth
High-tech bank robbers phone it in
How 'carders' trade your stolen personal info
Anatomy of a botnet
Column: Raising Cain at Black Hat
Black Hat 2008: Notes from the field
Add a Comment (Log in or register) 3 comments
Stupid
by krosavcheg April 19, 2008 6:19 AM PDT
That's a stupid point to make, and it just goes to show how the
most popular things always attract the most unfair criticism. It's
like people who are calling for banning Harry Potter books for no
other reason than because they're popular. Who the hell is going to
go shopping online on their Wii? It can't even get e-mail, how do
they expect people to click fraudulent links from it. This is just an
attention-seeking "OMG THE WII AND IPHONE ARE HACKER
MAGNETS!!!1" shout into the wilderness.
Reply to this comment View reply
Blame the fish, not the line.
by Brad S. S. April 22, 2008 7:43 AM PDT
ANY browser can allow phishing... it's just a question of whether the user is stupid enough to believe the phisher. Besides, it really sounds like you're blaming the screens for not being big enough.
Reply to this comment
Powered by Jive Software
advertisement
Resource center from News.com sponsors
You Need The Speed of Norton 2009
Introducing Norton Internet Security™2009

Click Here!
With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed. Get a FREE trial today!

Click Here!
The Fastest Security Suite Anywhere

Experience the revolutionary Norton Internet Security™ 2009. With Norton™ Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans

Win a Trip to Space!*

Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.

FREE Trial!

Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed

Norton Safe Web NEW!

A community-based system that rates web site safety

Norton Labs NEW!

Users can download new security technologies and share input directly with developers. Help us shape our future products!

About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

Featured blogs

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Best hybrid cars
Cell phones
Dell
GPS
CNET sites
CNET TV
Downloads
News
Reviews
Shopper.com
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET