Jump to content

  • Log in with Facebook Log in with Twitter Log In with Google Log In with Steam Sign In
  • Create Account
Photo

Developer discovers iPhone apps can be forced to place expensive calls



  • Please log in to reply
No replies to this topic

#1
OFFLINE   sincity

sincity

    Advanced Member

  • Members
  • PipPipPipPip
  • 2193 posts
63
Getting Better
Developer discovers iPhone apps can be forced to place expensive calls

Ideally tapping on a phone number on your iPhone will prompt a pop-up asking whether you want to place a call, but one developer says he found a dangerous vulnerability in apps that don't ask first.

This security hole could let attackers force your phone to make a call when you click on a website link, potentially connecting your phone to expensive numbers without warning.

Developer Andrei Neculaesei of Copenhagen company Airtame described the issue on his blog, demonstrating how he created a web page with a link that opens a phone call automatically when accessed from certain native iOS apps.

It reportedly works because these apps, including Facebook Messenger, Apple's Facetime, Google+, Gmail, and others, don't issue a pop-up when users tap a phone number within them.

Hello Pretty!

Neculaesei says he used "some sneaky-beaky-like JavaScript" to make links embedded in websites click themselves. When those sites are accessed through apps other than Safari, the links automatically activate and the calls are placed.

He imagines even more severe dangers than being charged for expensive calls, like users accessing a link through Facetime and automatically transmitting a live video feed to attackers - a tactic he's named "Hello Pretty!"

"Facetime calls are instant," he writes. "Imagine you clicking a link, your phone calls my (attacker) account, I instantly pick it up and (yes) save all the frames. Now I know how your face looks like and maybe where you are. Hello pretty!"

He also warns that although this applies to far more apps than the four he mentions, it's not only Apple's fault, since third-party app developers can configure their software to prompt users when a phone number is tapped.

Many, including big names like Google and Facebook, simply choose not to, but that could very well change in light of this discovery. We've asked Google, Facebook and Apple for comment, and we'll update here if we hear back.

Facebook forcing us to download Messenger is a brilliant move














Also tagged with one or more of these keywords: apple

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users