Facebook patching vulnerability that could force iPhones to make calls

For iPhone users, there’s definitely some convenience in being able to just tap a phone number, kickstarting a prompt that will ask whether they’d like to call it.

However, there’s some danger in that – with apps that don’t ask whether you’d like to place that call, a developer has found hackers could exploit that as an app vulnerability and force iPhone users to make expensive calls without any warning, writes Michael Rougeau for TechRadar.

Some of the affected apps include Facebook Messenger, Apple’s FaceTime, Google+, Gmail, and others. None of these issue a pop-up prompt when users click on a phone number from within the app, and considering how popular these apps are, this vulnerability could have a huge impact on a wide swath of users. So far, only Facebook has said it is issuing an update to its iOS app to patch the vulnerability, according to TechRadar.

To demonstrate how the app vulnerability works, developer Andrei Neculaesei used JavaScript to make website links click themselves. When the links were opened through apps, rather than through Apple’s Safari browser, the links would automatically start placing calls, Neculaesei wrote on his blog.

Apple doesn’t make a secret of that ability, though. Its documentation of its in-app calling feature is “short and easy to read,” but the trouble is, people don’t bother to read documentation, Neculaesei writes.

“I instantly assumed people do read documentation so there was no way a big player like Facebook, Twitter, Google, LinkedIn, etc. would do such a silly mistake… but I was wrong,” he writes, adding the fallout of this vulnerability could be even worse than just making users pay for expensive calls.

He envisions situations where an attacker might force someone’s iPhone to activate FaceTime and start showing video footage of where the user is, what he or she looks like, and so on – which is definitely a huge privacy concern.

“Facetime calls are instant. Imagine you clicking a link, your phone calls my (attacker) account, I instantly pick it up and (yes) save all the frames,” Neculaesei writes. “Now I know how your face looks like and maybe where you are. Hello pretty!”

That being said, not all of the blame can lie with Apple, he says. That’s because third-party developers still have the ability to write code providing prompts, ensuring they ask users if they’d like to place calls before they actually do so.

Candice So
Candice So
Candice is a graduate of Carleton University and has worked in several newsrooms as a freelance reporter and intern, including the Edmonton Journal, the Ottawa Citizen, the Globe and Mail, and the Windsor Star. Candice is a dog lover and a coffee drinker.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITB in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web