Ideally tapping on a phone number on your iPhone will prompt a pop-up asking whether you want to place a call, but one developer says he found a dangerous vulnerability in apps that don't ask first.
This security hole could let attackers force your phone to make a call when you click on a website link, potentially connecting your phone to expensive numbers without warning.
Developer Andrei Neculaesei of Copenhagen company Airtame described the issue on his blog, demonstrating how he created a web page with a link that opens a phone call automatically when accessed from certain native iOS apps.
It reportedly works because these apps, including Facebook Messenger, Apple's Facetime, Google+, Gmail, and others, don't issue a pop-up when users tap a phone number within them.
Hello Pretty!
Neculaesei says he used 'some sneaky-beaky-like JavaScript' to make links embedded in websites click themselves. When those sites are accessed through apps other than Safari, the links automatically activate and the calls are placed.
He imagines even more severe dangers than being charged for expensive calls, like users accessing a link through Facetime and automatically transmitting a live video feed to attackers - a tactic he's named 'Hello Pretty!'
"Facetime calls are instant," he writes. "Imagine you clicking a link, your phone calls my (attacker) account, I instantly pick it up and (yes) save all the frames. Now I know how your face looks like and maybe where you are. Hello pretty!"
He also warns that although this applies to far more apps than the four he mentions, it's not only Apple's fault, since third-party app developers can configure their software to prompt users when a phone number is tapped.
Many, including big names like Google and Facebook, simply choose not to, but that could very well change in light of this discovery. We've asked Google, Facebook and Apple for comment, and we'll update here if we hear back.
This security hole could let attackers force your phone to make a call when you click on a website link, potentially connecting your phone to expensive numbers without warning.
Developer Andrei Neculaesei of Copenhagen company Airtame described the issue on his blog, demonstrating how he created a web page with a link that opens a phone call automatically when accessed from certain native iOS apps.
It reportedly works because these apps, including Facebook Messenger, Apple's Facetime, Google+, Gmail, and others, don't issue a pop-up when users tap a phone number within them.
Hello Pretty!
Neculaesei says he used 'some sneaky-beaky-like JavaScript' to make links embedded in websites click themselves. When those sites are accessed through apps other than Safari, the links automatically activate and the calls are placed.
He imagines even more severe dangers than being charged for expensive calls, like users accessing a link through Facetime and automatically transmitting a live video feed to attackers - a tactic he's named 'Hello Pretty!'
"Facetime calls are instant," he writes. "Imagine you clicking a link, your phone calls my (attacker) account, I instantly pick it up and (yes) save all the frames. Now I know how your face looks like and maybe where you are. Hello pretty!"
He also warns that although this applies to far more apps than the four he mentions, it's not only Apple's fault, since third-party app developers can configure their software to prompt users when a phone number is tapped.
Many, including big names like Google and Facebook, simply choose not to, but that could very well change in light of this discovery. We've asked Google, Facebook and Apple for comment, and we'll update here if we hear back.
0 Comments