Proving that autodialing scams aren't found only on The Simpsons, a security researcher has found a serious flaw in the Twitter and LinkedIn iOS apps that lets hackers dial phone numbers on your iPhone. Once a call starts, a hacker can temporarily stop you from hanging up, and by the time you click the Home button to get back to the dialer app, the call may have gone through. Worse still, there's no fix available yet.
Credit: Gracie Films
This information was disclosed Tuesday (Nov. 8) in a blog posting by Collin R. Mulliner, a New York-based mobile security engineer with the mobile-payment company Square. Mulliner discovered a flaw in how some iOS apps use WebView, the protocol that lets apps open a browser window within the app itself rather than going to Safari (or, on Android, Chrome).
If Mulliner pointed the Twitter and LinkedIn app browsers, for example, to a malicious web page, a single line of HTML code in the page would force an iPhone to dial a phone number without the user's permission.
"There are tons of other messengers and so many other social media apps that ... could potentially be vulnerable," Mulliner told ThreatPost. "It's absolutely simple. Anybody can do this."
However, Mulliner told ThreatPost that the attack didn't work in the Facebook, WhatsApp, SnapChat and Yelp apps. The attack won't work at all on apps that open up a Safari page instead. (We've reached out to Mulliner to see whether anything like this works on Android.)
Here's how the flaw works: An attacker creates a webpage that includes an HTML command to dial a specific telephone number. He then posts a link to the webpage on Twitter or LinkedIn. An unsuspecting iPhone user clicks on the web link from within the Twitter or LinkedIn app, then finds his or her phone suddenly dialing a number.
Normally, at this point the user would see the phone's dialer window and could simply tap the red button to hang up. But Mulliner found that by combining the attack with an old iOS flaw he'd found back in 2008, he could force a random app to open up on the phone's screen and temporarily prevent the user from hanging up, or perhaps from even noticing that a phone number was being called.
For most numbers, you could arguably just hang up once the call goes through; no harm done. But it's not hard to see how a malicious hacker could take advantage of this exploit. Imagine forcing people to call expensive toll-dependent numbers, racking up charges, or having them all simultaneously dial 911. A teenager in Arizona was recently arrested for posting a similar iPhone flaw on YouTube, which his viewers used to tie up local 911 calling centers.
Mulliner said he reached out to Twitter, but wasn't satisfied with the company's response. He didn't bother reaching out to LinkedIn because it had a "private" bug-bounty program that didn't accept submissions from strangers. (He did report the issue directly to Apple.) It's not clear if and when either company will fix the app flaws.
In his blog posting, Mulliner used the mobile Safari, Dropbox and Yelp apps as examples of how to handle this issue better. Each pops up approval windows asking the user to approve or deny a call being made, though not all say what the destination number is.
While users don’t have any direct recourse against this flaw, the regular rules of internet common sense still apply. Don’t click on strange links, especially if they come from untrusted users. While this won't help if a friend's account is compromised, it’ll still help you avoid the vast majority of potential scams that come your way.