Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Hackers Can Abuse iOS WebView to Make Phone Calls

The iOS applications of Twitter, LinkedIn and possibly other major vendors can be abused by hackers to initiate phone calls to arbitrary numbers. The attacker can also prevent the victim from ending the call.

The iOS applications of Twitter, LinkedIn and possibly other major vendors can be abused by hackers to initiate phone calls to arbitrary numbers. The attacker can also prevent the victim from ending the call.

Security researcher Collin Mulliner said the cause of the flaw is related to WebView and how the component is handled by some iOS applications. WebView is a browser integrated into mobile apps. It allows developers to build their apps with web technologies, and it’s often used to display web pages inside an application without the need for third-party browsers.

According to Mulliner, an attacker who can convince a user to open a specially crafted webpage via a vulnerable app can make phone calls from the victim’s device. The attack website needs to redirect the victim to a TEL URI, which initiates a call to a specified number. This part of the attack involves only one line of HTML code, but the victim can easily end the call once the number is dialed.

In 2008, Mulliner informed Apple of a similar Safari vulnerability that allowed attackers not only to initiate phone calls, but also to prevent the victim from canceling the call by freezing the phone’s graphical user interface for a few seconds. At the time, Apple addressed the issue with the release of iOS 3.0.

The researcher determined that this bug resurfaced and he managed to tweak his old proof-of-concept (PoC) exploit to initiate calls from the Twitter and LinkedIn iOS apps and prevent the user from canceling the call. He published demonstration videos for both applications.

“The trick is to cause the OS to open a second application while the phone is dialing the given number. Opening applications is pretty straight forward, you open a URL that causes the OS to spawn another application,” Mulliner explained. “This can be anything from the messages app (via the SMS: URL) or iTunes (via the itms-apps: URL). You can pretty much get any application to launch that has a URI binding. In 2008 I used a SMS URL with a really really long phone number to block the UI thread.”

Mulliner reproduced the vulnerability in Twitter and LinkedIn, but he believes other iOS apps could be affected. Applications that open links in third party browsers, such as Safari and Chrome, are not impacted.

The expert informed Twitter of his findings via the company’s bug bounty program on HackerOne, but the social media giant marked it as duplicate this week without any comment. He also notified LinkedIn and Apple of the vulnerability, but did not wait for them to release patches before making the issue public.

Advertisement. Scroll to continue reading.

Applications such as Safari, Dropbox and Yelp warn the user that a phone call is about to be made and prompts them to confirm the action, and the researcher believes other apps should do the same. In addition to app developers, Apple should take steps to prevent this type of WebView abuse.

Mulliner started investigating the issue after hearing the story of an 18-year-old teen from Arizona who used a similar exploit to “prank” his friends. However, the teen ended up being arrested because he unknowingly used an exploit designed to trigger calls to 911, causing disruptions to emergency services in his area.

Mulliner provided other examples of serious attacks that can be carried out using this type of exploit.

“DoSing 911 is pretty terrible but there are other examples such as expensive 900 numbers where the attacker can actually make money. A stalker can make his victim dial his phone number so he gets his victim’s number. Altogether things you don’t want to happen,” he said.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.