Jump to content

Developer discovers iPhone apps can be forced to place expensive calls


Recommended Posts

http://cdn.mos.techradar.com/art/internet/Facebook/chatheads_iPhone-470-75.jpg

Ideally tapping on a phone number on your iPhone will prompt a pop-up asking whether you want to place a call, but one developer says he found a dangerous vulnerability in apps that don't ask first.

This security hole could let attackers force your phone to make a call when you click on a website link, potentially connecting your phone to expensive numbers without warning.

Developer Andrei Neculaesei of Copenhagen company Airtame described the issue on his blog, demonstrating how he created a web page with a link that opens a phone call automatically when accessed from certain native iOS apps.

It reportedly works because these apps, including Facebook Messenger, Apple's Facetime, Google+, Gmail, and others, don't issue a pop-up when users tap a phone number within them.

Hello Pretty!

Neculaesei says he used "some sneaky-beaky-like JavaScript" to make links embedded in websites click themselves. When those sites are accessed through apps other than Safari, the links automatically activate and the calls are placed.

He imagines even more severe dangers than being charged for expensive calls, like users accessing a link through Facetime and automatically transmitting a live video feed to attackers - a tactic he's named "Hello Pretty!"

"Facetime calls are instant," he writes. "Imagine you clicking a link, your phone calls my (attacker) account, I instantly pick it up and (yes) save all the frames. Now I know how your face looks like and maybe where you are. Hello pretty!"

He also warns that although this applies to far more apps than the four he mentions, it's not only Apple's fault, since third-party app developers can configure their software to prompt users when a phone number is tapped.

Many, including big names like Google and Facebook, simply choose not to, but that could very well change in light of this discovery. We've asked Google, Facebook and Apple for comment, and we'll update here if we hear back.

Facebook forcing us to download Messenger is a brilliant move

http://rss.feedsportal.com/c/669/f/415085/s/3dc5ced7/sc/4/mf.gif


http://da.feedsportal.com/r/206157017040/u/49/f/415085/c/669/s/3dc5ced7/sc/4/rc/1/rc.img
http://da.feedsportal.com/r/206157017040/u/49/f/415085/c/669/s/3dc5ced7/sc/4/rc/2/rc.img
http://da.feedsportal.com/r/206157017040/u/49/f/415085/c/669/s/3dc5ced7/sc/4/rc/3/rc.img

http://da.feedsportal.com/r/206157017040/u/49/f/415085/c/669/s/3dc5ced7/sc/4/a2.imghttp://pi.feedsportal.com/r/206157017040/u/49/f/415085/c/669/s/3dc5ced7/sc/4/a2t.imghttp://feeds.feedburner.com/~r/techradar/software-news/~4/lYythA8qrdY
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...