Jailbroken device maybe ?
Jailbroken device maybe ?
A bloke in Scotland reckons a dodgy web advert tried to trick him into sending a text message from his iPhone to a premium-rate number. It's feared more unscrupulous ad networks could use the same technique to trip up Apple fans and rack up larger than expected phone bills. Andrew Smith – an ex-Reg writer, news photographer, …
yep - lots of security bods predicted that the combination of known security exploits (both crash/data execution and execution of unsigned code) would lead to exploits.
https://support.apple.com/en-au/HT205030
Of course we can't be sure, but my guess is that the problem is 8.4 specific - but the 8.4.1 release / fix was not out for long before iOS 9 replaced it - and for some of us who don't want to be guinea pigs for a major new release, that's a problem.
Well it's not actually sending an automated SMS - merely setting up an SMS for the user to send.
I'd guess there is a mechanism to do this from within web pages for mobile phones - a kind of SMS equivalent to a mailto.
And a very quick search comes up with:
Making phone calls and sending SMS with HTML
That shows how to set up a link that has to be clicked (or tapped) - and seems quite a reasonable thing to want to [be able to] do.
So presumably what's happened in this case is that the bastard hard done by but generally very trustworthy advertiser has managed to find a way to make the phone think the link has been clicked, with a bit of Javascript or something.
"has managed to find a way to make the phone think the link has been clicked, with a bit of Javascript or something"
That part seems surprisingly easy. There is a Javascript click() command that can be applied to a DOM element. I discovered this recently when trying to implement an export-to-local-file function in a web application. The code I borrowed to do this used the click() function, and I wondered at the time about possible devious uses.
"managed to find a way to make the phone think the link has been clicked, with a bit of Javascript or something"
Sounds like the first thing that he said happened "the app store opened up", that was probably fake and the exit button was really the "setup SMS message" button.
On a web browser I never click anywhere on a window that a browser has launched, no close, no "x" no nothing. I just close the process, on a phone we don't really have the option to have the browser close the window as easily available, sounds like the advertiser has figured this out.
Prize is a compromised iPad, complete with backdoor trojans, keyloggers and control over the webcam.
Nope. Each resource requires separate permissions, and some facilities (such as sending SMS) have to be acknowledged every single time. If you cannot take that as a hint that something is amiss it is a miracle you actually managed to get past the iPad setup routine in the first place, and you ought to stick to crayons.
iOS is a total bastard to compromise. It's not impossible, but to do so without raising a lot of red flags means the user must have either rooted it or must have been dead drunk to just say yes to anything that wanted approval. It is *far* from trivial - too many layers to wade through.
Browsers should be completely blocked from being able to communicate with *any* other program on a device. They shouldn't be able to open my text messaging, the app store, youtube, etc.
One possibility would be for Apple to implement a white list, similar to what they do for location services. I have location services turned off for absolutely everything BUT the find my phone app. In the same vein, I should be able to say "Sorry, but safari is blocked from opening any other application on the device"
Browsers should be completely blocked from being able to communicate with *any* other program on a device...
I disagree. mailto, phone numbers and addresses are things that I frequently click on, to open in another app.
The alarming issue is the apparent programmatic/automatic nature of it.
As an aside, the messaging app on my Moto G warned me recently that I was about to send a chargeable (out-of-bundle) text message; this is probably the appropriate app to know about these things, rather than the browser.
I mostly agree with you - Safari (and other apps) should be much more limited in the way they can call other apps. All it takes is for a bit of fancy javascript to make Safari think a link has been clicked and off it goes to the App store or somesuch. I know I've opened (mostly reputable) websites and been thrown straight to the App store by an ad, before the page finishes loading, which is utterly wrong, but I disagree that a complete block is suitable as there are times when that integration is useful.
As I understand it any request in Safari to open the Dialler to call a number pops up a dialogue asking if you're sure you want to call that number. That should be the case in all "other app" calls e.g. "Are you sure you want to view SuperApp in the App store?"
It doesn't stop PICNIC/ID10T errors clicking through all the dialogues but does give another layer of protection against ads, which it seems are all malicious until proven otherwise!
Pic = Advertisers.
Don't get me wrong, chaps, I currently get paid by a so-called online advert agency, so in reality this message is a paid-for advert to block more ads. Advertising is the lowest form of communication, and a worthless waste of untold billions of advert dollars/pounds/rupees/barter-voles. Nothing makes me prouder than teaching the joy of Muting & Diverting to my little one. I 100% of the time mute the sound or switch to another station on video, and just avoid ads altogether, everywhere. It's not that hard. What is advertising anyway? I need to see some asshole with a racist haircut tell me what products I may need or don't know about yet because I'm that fucking stupid? Fuck off, I think I know how to find crap to buy without some cranky twat jiggling her muffins pointing at some product so overpriced that they can afford to buy advertising, rather than make a better product. It's a colossal waste of time and money and if all the lawyers, pedophiles, and advertisers fell into the fucking swamp and become brown time-capsules, fine by me.
Yes, agreed. Saw a passage in a rather old book that quoted a Chinese man visiting the USA. The gentleman said something like, "I am very interested in your advertisements. In China, the State creates propaganda. Everyone knows it is propaganda, but after many repetitions the message enters the mind. Here, private industry creates propaganda. The message is different, but it is the same thing."
A few days age I was asked to look over some videos promoting a software "solution" my company is considering. First vid: 5 minutes. Substantive, 10-second message: we can create clickable links in scanned architectural drawings. The rest was puff -- actors telling the camera how much better life was with the software. That was all propaganda.
Adblockers and NoScript set to "stun", Cap'n.
You know what Dadmins doing? He’s going for that anti-marketing dollar. That’s a good market. He’s very smart. He’s also going for the righteous indignation dollar. That’s a big dollar. A lot of people are feeling that indignation. We’ve done research – huge market. He’s doing a good thing.
The anger dollar too. Huge. Huge in times of recession. Giant market. Dadmins very bright to do that.
RIP Bill.
Yes, but El Reg must know their tech-savvy userbase contains a much higher percentage of ad-blocker users than most news sites. Yet they don't discourage or block said ad-blocker users; rather, they tacitly encourage them. Despite doing so, El Reg manages to make enough money to pay their staff by convincing advertisers - who, given the industry they're in, should also be aware of this - to buy adverts they know very few will ever see. Pretty clever of them actually!
In my list of people for the chop come the 'revolution', Ad Execs are on my list not far behind Lawyers and Politicians (those who are both are at the head of the queue).
Yes I know it will never happen but one can't stop dreaming of a better world now can one eh?
There really is no point whining on about a better future if no one has bothered to define better, so having the idea all ad execs and the rest of the "devil's lil' helpers" should "suck a tailpipe" is much more than a dream. It's a practical solution and gateway to getting more utility out of breathing than you ever thought possible.
What if we had a Bill Day, where Ad people are encouraged to kill themselves?
We could have a huge zirconium plinth to honour all those that had given their lives so that we may live.
Googling the phone number produces lots of reports of other scams from the same people, mainly from links on Facebook. People reporting that they clicked on a link, and got charged £8 for "entering a competition". And PhonePayPlus refused to take an interest.
Anyone know anyone who could dig into this company a bit more? Might be nice to know who they are.