App security flaw makes your iPhone call without asking

Facebook Messenger

If you’re an iPhone user, you may want to be cautious about opening messages that contain phone numbers in the near future; they may cost you a lot of money. Developer Andrei Neculaesei notes that maliciously coded links in some apps will abuse the "tel" web handler (which covers dialing) to automatically make a phone call the moment you view a message. Potentially, an evildoer could force you to call an expensive toll number before you’ve had a chance to hang up. The exploit isn’t limited to any one app or developer, either. Facebook Messenger, Gmail and Google+ all fall prey to the attack, and it’s likely that other, less recognizable apps exhibit similar behavior. Apple’s Safari browser will ask you before starting a call, but FaceTime’s behavior lets you pull a similar (though not directly related) stunt.

In many cases, it’s the developers who are to blame. They’re supposed to put tighter controls on what happens when a number comes in, such as giving you a warning. However, Apple could theoretically mitigate the issue by requiring prompts for all phone links. You may not have to worry about a spam flood in practice, but let’s hope app writers act quickly — as Android users have already learned, "tel" exploits can cause a lot of grief if left unchecked.

Filed under: , , , , ,

Comments

Via: PCWorld

Source: Algorithm.dk

http://ift.tt/1rtV4Ea

Source: Engadget Full RSS Feed http://ift.tt/1lqOAn8

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s