Click-to-Call Bug Found in iPhones

By Lisa Vaas  |  Posted 2007-07-17 Print this article Print

Attackers could stick users with 900 number calls due to a bug that might also afflict other browser-enabled phones.

A security firm is warning iPhone users not to use the Safari browser to dial telephone numbers because of a bug that could allow attackers to stick victims with a phone bill full of pricey 900-number calls.

The bug likely isnt unique to Apples iPhone, but the most popular device of the moment is the one that SPI Labs chose to check out.
"Its possible a similar type of issue applies to Treos or Windows Mobile devices," the company wrote on its blog post.
Respondents to the post suggested that built-in browsers in other phones, such as BlackBerrys or those from Nokia, are also susceptible given that they provide the same functionality of calling a number from a Web page. The touch-to-dial function on an iPhone allows the user to dial any phone number displayed on a Web page simply by tapping it. Attackers could use the function to perform a number of malicious actions. As quoted from SPI Labs post, attackers can exploit the bug to:
  • Redirect phone calls placed by the user to different phone numbers of the attackers choosing
  • Track phone calls placed by the user
  • Manipulate the phone to place a call without the user accepting the confirmation dialog
  • Place the phone into an infinite loop of attempting calls, through which the only escape is to turn off the phone
  • Prevent the phone from dialing
Such attacks could be launched from a malicious site, from a legitimate site with cross-site scripting vulnerabilities, or as part of a worms payload. Among other things, an attacker could discover a mobile phone users calls to escort services, could trick a target into dialing any phone number without giving consent, or could lock a phone, forcing the victim to either make a call or hard-reset the phone and possibly suffer data loss as a result. Click here to read about hackers claims that they will soon be able to cut users ties to Cingular wireless service. SPI Labs reported the problem to Apple on July 6 and is working with the company to fix the problem. The Labs R&D team hasnt yet investigated how other smart phones handle telephone number/Web browser integration but told eWEEK it plans to do so in the future. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel