Vulnerability in iPhone could automatically place calls to expensive numbers

Oh dear. Another day, another vulnerability, and this time around Apple iPhone users are the target of the likely shenanigans. 

A Copenhagen-based developer has discovered a simple way to automatically make your phone dial numbers embedded in a web page, including the "expensive" ones. So, you are browsing the web using Safari on your iPhone, and you visit a page that has a telephone number in the page, normally you would be able to tap that number and get presented with an option to dial the number right? So far, so good.

Andrei Neculaesei, a developer with wireless streaming company Airtame, discovered that even though Safari asks for user's confirmation to place a call, most big-name apps like Facebook Messenger and Google+ will simply go ahead and make the call without asking for the user's permission. 

PC World describes the way automatic calls can be placed:

He found a malicious way to abuse the behavior. He created a Web page containing JavaScript that caused a mobile application to trigger a call after someone merely viewed the page.

This could happen to you! View the animated gif of the process here.

It turns out, that besides Facebook Messenger and Google+, Gmail and FaceTime are also vulnerable to this. Check out Neculaesei's complete blog post on his website where he goes into more detail. 

If this particular vulnerability goes widespread, it is very worrying indeed.

Source: PC World | Image & gif: Andrei Neculaesei

Report a problem with article
Previous Story

iPhone 6 rumored to include 128GB storage option and parked car locator

Next Story

giffgaff changes price plans, adds peak time speed restrictions for unlimited data

16 Comments

Please Login or Sign Up to post a comment.

Either devs are ignorant of the proper handling of phone call requests, or they are just being lazy. I don't think this function was meant to work quite like that. Anyhoo, I think it can be easily fixed on either the dev or Apple end.

It would be nice to expose what apps have calling access and manage individual rights more clearly in iOS.

Misleading title. Facebook and Google chose to ignore default behavior on iOS, and their apps make your phone vulnerable. Great.

I'm confused. Is this an actual vulnerability in the iPhone software, or is the issue simply that apps have their default behavior set to auto-dial? I think it's the latter, but wanted to make sure. And, if it is the latter, then the article title is STILL misleading -- It needs to blame the apps, not the OS.

The apps are ignoring Apple's documentation on handling the tel: URI.

When a user taps a telephone link in a webpage, iOS displays an alert asking if the user really wants to dial the phone number and initiates dialing if the user accepts. When a user opens a URL with the tel scheme in a native app, iOS does not display an alert and initiates dialing without further prompting the user.

https://developer.apple.com/li.../PhoneLinks/PhoneLinks.html

And of course, you can hang up from the dial pad before the number is dialed.

Are they really ignoring it, though? Apple says "However, a native app can be configured to display its own alert." Keyword: CAN. So, these apps possibly did not ignore the documentation, but just CHOSE to skip the prompt. That's possible, right?

My point is: The app developer chose this behavior. It's not a vuln in the OS, and although it's a vuln for the user, the current behavior may have actually been what the dev intended.

PUC_Snakeman said,
I'm confused. Is this an actual vulnerability in the iPhone software, or is the issue simply that apps have their default behavior set to auto-dial? I think it's the latter, but wanted to make sure. And, if it is the latter, then the article title is STILL misleading -- It needs to blame the apps, not the OS.

If the same behavior cannot be achieved in other mobile OS then it is a vulnerability in iOS. These apps could be patched, but the ability for someone to exploit this is still there.

Title is misleading, this is an issue with apps using a webview and not handling clicks on tel:// links properly. The article even says "Who didn't RTFM? Facebook Messenger, Gmail, Google+, Everybody..." The only one it doesn't work in is Safari.

He found a malicious way to abuse the behavior. He created a Web page containing JavaScript that caused a mobile application to trigger a call after someone merely viewed the page.
in Safari, what's misleading about it?

No, not in Safari, it's a link to a page sent through an app that opens it's own in-app webview so you don't have to leave the app to view the link. Safari gives a confirmation when clicking on a tel:// link, the apps do not.