Security Experts:

Hackers Can Abuse iOS WebView to Make Phone Calls

The iOS applications of Twitter, LinkedIn and possibly other major vendors can be abused by hackers to initiate phone calls to arbitrary numbers. The attacker can also prevent the victim from ending the call.

Security researcher Collin Mulliner said the cause of the flaw is related to WebView and how the component is handled by some iOS applications. WebView is a browser integrated into mobile apps. It allows developers to build their apps with web technologies, and it’s often used to display web pages inside an application without the need for third-party browsers.

According to Mulliner, an attacker who can convince a user to open a specially crafted webpage via a vulnerable app can make phone calls from the victim’s device. The attack website needs to redirect the victim to a TEL URI, which initiates a call to a specified number. This part of the attack involves only one line of HTML code, but the victim can easily end the call once the number is dialed.

In 2008, Mulliner informed Apple of a similar Safari vulnerability that allowed attackers not only to initiate phone calls, but also to prevent the victim from canceling the call by freezing the phone’s graphical user interface for a few seconds. At the time, Apple addressed the issue with the release of iOS 3.0.

The researcher determined that this bug resurfaced and he managed to tweak his old proof-of-concept (PoC) exploit to initiate calls from the Twitter and LinkedIn iOS apps and prevent the user from canceling the call. He published demonstration videos for both applications.

“The trick is to cause the OS to open a second application while the phone is dialing the given number. Opening applications is pretty straight forward, you open a URL that causes the OS to spawn another application,” Mulliner explained. “This can be anything from the messages app (via the SMS: URL) or iTunes (via the itms-apps: URL). You can pretty much get any application to launch that has a URI binding. In 2008 I used a SMS URL with a really really long phone number to block the UI thread.”

Mulliner reproduced the vulnerability in Twitter and LinkedIn, but he believes other iOS apps could be affected. Applications that open links in third party browsers, such as Safari and Chrome, are not impacted.

The expert informed Twitter of his findings via the company’s bug bounty program on HackerOne, but the social media giant marked it as duplicate this week without any comment. He also notified LinkedIn and Apple of the vulnerability, but did not wait for them to release patches before making the issue public.

Applications such as Safari, Dropbox and Yelp warn the user that a phone call is about to be made and prompts them to confirm the action, and the researcher believes other apps should do the same. In addition to app developers, Apple should take steps to prevent this type of WebView abuse.

Mulliner started investigating the issue after hearing the story of an 18-year-old teen from Arizona who used a similar exploit to “prank” his friends. However, the teen ended up being arrested because he unknowingly used an exploit designed to trigger calls to 911, causing disruptions to emergency services in his area.

Mulliner provided other examples of serious attacks that can be carried out using this type of exploit.

“DoSing 911 is pretty terrible but there are other examples such as expensive 900 numbers where the attacker can actually make money. A stalker can make his victim dial his phone number so he gets his victim's number. Altogether things you don't want to happen,” he said.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.