Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

It’s possible to craft a malicious website so that a user’s clicks are secretly redirected to a legitimate site in a way that steals a user’s passwords and other data. Many Web developers have added protections to block the tactic on standard websites, but Stanford University researchers warn that there are not nearly enough defenses against the technique on mobile websites, which are accessed from devices such as the iPhone.

As a result, a smart-phone user could think he’s tapping to check a baseball score but is actually tapping on a button in a hidden page to confirm a money transfer.

Mobile users could be especially vulnerable to such tricks. For one thing, on smart phones, the parts of the user interface that indicate whether a page is secure generally appear in the browser bar, which usually disappears to maximize the screen area. Because the browser usually fills the whole screen of the phone, an attacker can “draw anything he wants on the screen, and the user cannot tell what’s real and what is from the attacker,” says Elie Bursztein, a postdoctoral fellow at the Security Laboratory at Stanford University.

Above all, mobile devices are becoming fatter targets, Bursztein says, because people are spending more time on them and exchanging important data. “People buy things on their phone, they use Facebook and Twitter, and soon enough they will be doing banking on the phone,” he says.

Bursztein and the other Stanford researchers presented their findings at last week’s Workshop on Offensive Technologies (WOOT) workshop. They called the problem “tapjacking,” a reference to “clickjacking,” a term used when the same method of attack is used on a PC browser.

“This is a bunch of small hacks hung together to create a big problem,” says Kevin Mahaffey, chief technology officer of Lookout, a security firm that focuses on mobile devices. “And it will take a lot of concerted effort to solve the problem.”

2 comments. Share your thoughts »

Tagged: Communications, security, mobile devices, mobile security

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me