Oh dear. Another day, another vulnerability, and this time around Apple iPhone users are the target of the likely shenanigans.
A Copenhagen-based developer has discovered a simple way to automatically make your phone dial numbers embedded in a web page, including the "expensive" ones. So, you are browsing the web using Safari on your iPhone, and you visit a page that has a telephone number in the page, normally you would be able to tap that number and get presented with an option to dial the number right? So far, so good.
Andrei Neculaesei, a developer with wireless streaming company Airtame, discovered that even though Safari asks for user's confirmation to place a call, most big-name apps like Facebook Messenger and Google+ will simply go ahead and make the call without asking for the user's permission.
PC World describes the way automatic calls can be placed:
He found a malicious way to abuse the behavior. He created a Web page containing JavaScript that caused a mobile application to trigger a call after someone merely viewed the page.
This could happen to you! View the animated gif of the process here.
It turns out, that besides Facebook Messenger and Google+, Gmail and FaceTime are also vulnerable to this. Check out Neculaesei's complete blog post on his website where he goes into more detail.
If this particular vulnerability goes widespread, it is very worrying indeed.
Source: PC World | Image & gif: Andrei Neculaesei
16 Comments - Add comment