Developers have discovered a security flaw in iPhone that can be exploited to make automatic phone calls to premium numbers, inflating phone bills and even stealing the users identity.
Developer Andrei Neculaesei has discovered that maliciously coded links in some apps will abuse the “tel” web handler to automatically make phone calls to premium phone numbers when you view a message from your smartphone, resulting in inflated phone bills.
Andrei Neculaesei, who works with wireless streaming company Airtame in Copenhagen, states that there’s a risk in how most native mobile applications handle phone numbers. Phone numbers often appear as links on a mobile device and can be used by a Uniform Resource Identifier (URI) scheme called ”tel” to trigger a call. If a person clicks on a phone number within Apple’s mobile Safari browser, a pop-up asks if a person wants to proceed with a call.
“When a user taps a telephone link in a webpage, iOS displays an alert asking if the user really wants to dial the phone number and initiates dialing if the user accepts,” Neculaesei wrote in a post on his blog. “When a user opens a URL with the tel scheme in a native app, iOS does not display an alert and initiates dialing without further prompting the user.”
He continued, “So if I click the link in Safari I get the prompt asking me to confirm my action, if I click the link in a native app’s webView it doesn’t ask and performs the action right away (makes the call).”
He added that the exploit isn’t limited to any one app or developer. Gmail, Facebook Messenger, Google+ and even less recognizable apps fall prey to the attack. Neculaesei stated on his blog, that Apple could mitigate the issue by requiring prompts for all phone links. Neculaesei’s presented his findings at the Bsides security conference in Las Vegas earlier this month.
Earlier researchers had discovered a security flaw in Android that allowed malicious sites to make phone calls to premium phone numbers, automatically. Researchers had also discovered a loophole in Android that allows malicious apps to get control of your smartphones camera and upload images to an unknown server without the users permission.