Secure OS X has discovered a spoofing vulnerability in WebKit that also affects Apple Mail. Mail.app uses WebKit to render HTML emails.

The vulnerability involves the way links are displayed in HTML messages in certain circumstances:

The WebKit application fails to show the correct URL in the status bar if an image control with a “title” attribute has been enclosed in a hyperlink and uses a form to specify the destination URL. This may cause a user to follow a link to a seemingly trusted website when in fact the browser opens a malicious website.

Secure OS X recommends being careful when entering personal information after following a link contained in an email.

It also suggests viewing the raw source of the message if you are at all suspicious — View > Message > Raw Source in the menus, or Option-Command-U — to see what the URL reallly is before clicking on it.

Similar Posts:

• WebKit’s HTML in Mail 2.0
• Setting an HTML font tag in a Mail.app message
• WebKit nightly builds now offer Gmail rich text
• Fighting Spam in Apple Mail
• Saving HTML out of an Apple Mail message

Tags: Apple Mail, HTML, mail.app, spoofing, WebKit

This entry was posted on Tuesday, 22nd November, 2005 at 9:17 am and is filed under Apple Mail, Apple Mail Bugs. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.