Currently Being Moderated

A URL spoofing bug affecting iOS 5.1 was recently found by Major Security (link to original PoC). Several news already covered the subject, but the following question on Hacker Newswas interesting:

Since you're opening a new window from another domain and writing arbitrary HTML into it, I wonder if this vulnerability could be used to bypass cross-domain restrictions...

Quick summary of the bug

This issue is a typical URL spoofing bug where the displayed URL does not reflect the actual domain where the page lives. For example, this bug allows me to do this:

To get this page, you need to spoof the URL in a call. Here's the snippet of code that will generate this previous page:

  w ='', 'Google');
  w.document.write('<html><style>body{background-color:yellow;font-family: sherif;color:blue;font-size:100px}</style>Welcome to the new</html>');

Can this bug be used to interact with the spoofed domain?

The question on Hacker News is actually legitimate: since the domain we see in the URL address bar is, can the HTML/JavaScript code actually interact with the actual pages?

Fortunately, the answer is no. If this is the case, the bug is much more serious, and would be a bypass of the Same Origin Policy (SOP). Simply put, SOP is here to prevent pages from a domain to access another domain's DOM. That means that if you go to, this site should not be able to access your current DOM (let's say, your cookies) from

So, how to verify that fact? Well, a quick test is to look at what domain this code is actually hosted. If the domain (document.domain) is different than the URL's domain, this is where a spoofing appear. If the DOM's domain is changed, we fall in the more serious case described earlier (SOP bypass). We can display the current domain as understood by the same origin policy by using the following snippet as body of the spoofed page: alert('domain: ' + document.domain)

And here we go:

Impact of the bug

This kind of bugs was quite popular several years ago, from null-byte injection in the URL bar to using Unicode. This one is does not seem particularly interesting in term of cause: the window handler is left for writing (for same domain popups) as usual, but if in this case, the URL might not properly refreshed.
The real problem however, is that this bug facilitates any phishing attack. Think about it: it looks like you go to (yeah, that's what the URL bar says!), but you're eventually on a site that could proxy each request to good-bye the secrecy of your passwords, emails, etc.


Until this bug gets fixed in a new iOS update by Apple, make sure to block the popup in the Safari options; that should be good enough for the time being, and make sure that you have the HTTPS visual indicator.