For iPhone users, there’s definitely some convenience in being able to just tap a phone number, kickstarting a prompt that will ask whether they’d like to call it.
However, there’s some danger in that – with apps that don’t ask whether you’d like to place that call, a developer has found hackers could exploit that as an app vulnerability and force iPhone users to make expensive calls without any warning, writes Michael Rougeau for TechRadar.
Some of the affected apps include Facebook Messenger, Apple’s FaceTime, Google+, Gmail, and others. None of these issue a pop-up prompt when users click on a phone number from within the app, and considering how popular these apps are, this vulnerability could have a huge impact on a wide swath of users. So far, only Facebook has said it is issuing an update to its iOS app to patch the vulnerability, according to TechRadar.
To demonstrate how the app vulnerability works, developer Andrei Neculaesei used JavaScript to make website links click themselves. When the links were opened through apps, rather than through Apple’s Safari browser, the links would automatically start placing calls, Neculaesei wrote on his blog.
Apple doesn’t make a secret of that ability, though. Its documentation of its in-app calling feature is “short and easy to read,” but the trouble is, people don’t bother to read documentation, Neculaesei writes.
“I instantly assumed people do read documentation so there was no way a big player like Facebook, Twitter, Google, LinkedIn, etc. would do such a silly mistake… but I was wrong,” he writes, adding the fallout of this vulnerability could be even worse than just making users pay for expensive calls.
He envisions situations where an attacker might force someone’s iPhone to activate FaceTime and start showing video footage of where the user is, what he or she looks like, and so on – which is definitely a huge privacy concern.
“Facetime calls are instant. Imagine you clicking a link, your phone calls my (attacker) account, I instantly pick it up and (yes) save all the frames,” Neculaesei writes. “Now I know how your face looks like and maybe where you are. Hello pretty!”
That being said, not all of the blame can lie with Apple, he says. That’s because third-party developers still have the ability to write code providing prompts, ensuring they ask users if they’d like to place calls before they actually do so.
