Security researchers at SPI Labs are warning iPhone users not to use a special feature that lets them dial telephone numbers over the Web using the iPhone's Safari browser. The feature was created to give iPhone users a simple way to dial phone numbers listed on Web pages, but according to SPI, the feature could be misused. Attackers could exploit a bug in this feature to trick a victim into making phone calls to expensive "900" numbers or even keep track of phone calls made by the victim over the Web, said Billy Hoffman, lead researcher with SPI Labs. The iPhone could even be stopped from dialing out, or set to dial out endlessly, he said.
"Because this vulnerability can be launched from Web sites, everybody who has an iPhone has the potential to get exploited," Hoffman said. In order for the attack to work, the bad guys would have to either trick iPhone users into visiting a malicious Web site or make a legitimate Web site send untrustworthy information to the iPhone using what's known as a cross-site scripting attack. "Any time someone could control the content that's getting sent to the iPhone [the possibility of an attack] exists," Hoffman said.