A potential flaw in the way Apple makes life easier for users and app developers could be exploited to force devices to automatically make premium calls, inflating the phone bills of victims and, in some cases, stealing their identities.
Apple allows apps to make phone calls when a user taps a number on screen, by identifying actionable text with tags called URIs (Uniform Resource Identifiers). Calls can be placed without a confirmation dialog popping up when the scheme is used within apps. Such functionality was designed for search and listings apps. However, it has also been used for messaging and communications apps, such that when a person sends someone else a phone number, the recipient can tap it to call it.
Security researcher
Andrei Neculaesei has now demonstrated that attackers can abuse the "tel:" URI scheme by packaging JavaScript along with the target URI which automatically executes the call without waiting for a user to tap anything. With no an OS-level warning in place, an attacker could force phones to dial premium numbers which are instantly picked up on the receiving end, and collect money which would be charged to the victims' phone bills.
An attacker would only have to send out spam messages with a disguised URL to the manipulated code for the scheme to work. In a post to his website, reported by
Engadget, Neculaesei demonstrates the flaw at work in the Facebook Messenger, Gmail and Google+ apps running on an iPhone. Dozens of similar apps might be similarly vulnerable
Rather than blame Apple exclusively, Neculaesei blames the app developers for using the tel: URI irresponsibly. The exact design of the scheme is documented by Apple, and an alternative which forces a prompt, telprompt:, also exists. Apple's URI implementation is meant to give app developers options so that users are not inconvenienced by confirmation dialogs for every call they try to place through an app's interface.
The feature (or bug) takes on a more serious tone when used to trigger FaceTime calls. Users could be tricked into placing video calls which are picked up instantly, at which point screenshots of their faces could be saved without their knowledge.
While the problem is not the result of a traditional security flaw or bug, Apple could force prompts in all cases to mitigate the issue, although this would annoy users.