An article from MSNBC.
You’re browsing the Internet on your iPhone or iPad when you’re suddenly prompted for some personal information. But you’re no dummy: Before you enter it, you check the URL bar to confirm that you really are on a trusted site. When you’re sure, you type in the information. Careful as you were, you still may have handed sensitive data to a bad guy.
How is that possible when you’re absolutely certain that you’re on a trustworthy website? Because right now you can’t trust the URL bar on your iOS device’s mobile Safari browser, thanks to a security exploit.
This can be exploited to potentially trick users into supplying sensitive information to a malicious website, because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they’re visiting another website than the displayed website.
MajorSecurity has created a demonstration of the exploit. You can check it out by following this link on a device which is running iOS 5.1. After pressing the “demo” button on that website, you will see Safari open a new window which displays “http://www.apple.com” in the URL bar, even though the website you’re viewing is actually hosted on “http://www.majorsecurity.net.”
There’s no fix for the issue right now, but it shouldn’t take long for Apple to patch the exploit. In the meantime, you should be careful about which links you follow.