This seems to be a bog standard variation of cross site scripting and not trusting your input from Apple. It's basic security that operations that could potentially cost money should be authorized and that you can't trust the calling app to do so. Never mind privacy I'm off to setup a few premium rate phone numbers to force apple users into calling...
iOS phone phlaw can UNMASK anonymous users on social media
Apple iThing users can be identified, images of their faces captured and their phones forced to call numbers – all thanks to coding schemes affecting Facebook, Google, and Twitter, among other sites and services, security researchers say. Attackers and pranksters can force iOS coding schemes to send an SMS or an instant …
COMMENTS
-
-
-
Tuesday 2nd September 2014 09:45 GMT Raumkraut
> Well you'll have to write a native app first :)
Except the entire point of the article, if I understood correctly, is that an attacker doesn't need a native app of their own, they only need a website, and users to access said site with a non-Safari app which uses a web view (I imagine a lot of "native" wrapped-HTML5 apps do this).
-
Tuesday 2nd September 2014 15:39 GMT Byz
We'll you read wrong
It is quite clear that the leak is through third party apps like chrome.
Do you actually program iOS apps?
Or is are you just holding your finger in the air and seeing which way you think the wind is blowing?
You can only use a web view via a native app, and then fire off the URL as an action from the webview.
Google is blaming Apple here for an app that it wrote, whereas safari (written by apple) doesn't have this issue (yet uses the same web view). QED Google has written there app to the same standard as usual which is as water tight as sieve !!!
-
Tuesday 2nd September 2014 18:04 GMT VinceH
"Google is blaming Apple here for an app that it wrote, whereas safari (written by apple) doesn't have this issue (yet uses the same web view). QED Google has written there app to the same standard as usual which is as water tight as sieve !!!"
WTF?
If the platform itself doesn't prevent this, then the platform itself - and therefore its provider/developer - is at fault. That's iOs, and therefore Apple.
-
-
-
-
-
-
-
Tuesday 2nd September 2014 09:46 GMT Roo
Re: There's no such thing as a secure platform...
"Not sure why you have been down voted here. Very sensible comment. Have an up vote"
I can't speak for the down voter but that comment stated the bleeding obvious. The fact remains that Apple have made iOS remotely exploitable by design. It's a web security 101 level of screw up, the good news is that it should be trivial to fix in iOS, the bad news is that folks are asking apps to fix it instead because they don't want to face the idea that Apple might have screwed the security pooch.
-
-
Wednesday 3rd September 2014 04:47 GMT AndyDent
Re: There's no such thing as a secure platform...
"remotely exploitable by design" - I'm not sure I agree in this case.
As stated in a previous comment, a web view does NOT automatically follow links (that would be a flaw on Apple's part). The problem is the applications that contain the web views which have followed a bad practice. Apple could be blamed for not making it clearer that this is a bad idea.
This has already been thrashed out in other forums, as said there:
"
The article is misleading, if you do nothing your webview won't open any phone call. You have to implement a specific method to intercept links and explicitly open them in the device.
see `
- (BOOL)webView:(UIWebView )webView shouldStartLoadWithRequest:(NSURLRequest )request navigationType:(UIWebViewNavigationType)navigationType` method in official UIWebViewDelegate reference
"
-
-
-
-
Tuesday 2nd September 2014 17:53 GMT ItsNotMe
Re: Apple - The Toxic Hellstew Of Vunerabilities
Yesterday iCloud, today Facetime & Find My Phone.
There...fixed it for you.
http://www.dailymail.co.uk/sciencetech/article-2739764/Did-iClouds-Find-My-iPhone-function-help-hackers-steal-celebrities-nude-photos-Flaw-exposed-hundreds-images.html
-
-
Tuesday 2nd September 2014 08:42 GMT Byz
Nothing new
'The document also explains that something called the "tel URL scheme is used to launch the Phone app on iOS devices and initiate dialing of the specified phone number."'
This has been there for years all the way back from iOS 2
I have written apps that open maps and then find a route or make phone calls and they have never prompted, however my apps have to go via the App Store so are screened first (obviously this is as good as the screening), also if Apple discover you are doing something not allowed they take down the app.
If you jailbreak your phone and download an app from another source you on your own and where these native apps are likely to be lurking.
-
Tuesday 2nd September 2014 09:14 GMT Anonymous Coward
Re: Nothing new
On Android, firstly before you install the app (either sideloaded or from the play store) it will tell you that the app can use services that cost you money (calls, texts etc).
Then when you click through a link that it detects as a phone number the dialler will open with the number showing (if you have multiple diallers registered it will let you choose which one to use - e.g. a SIP dialler or the default phone dialler). You can then dismiss it or click dial to call it.
-
-
Tuesday 2nd September 2014 10:23 GMT Doctor_Wibble
History Repeating Again
For a moment I thought we had slipped back a decade or two - clicking on something starts up a rogue dialler without warning you? Wow, not seen that before. Much.
It's far back enough that I can't remember if I first saw these on Win95 or 98.
Simple answer : don't use a mobile device for *anything* that's supposed to stay private.
Simple question : who are you trusting when you use these things?