The iOS apps for LinkedIn, Twitter, and possibly be many other vendors can be squandered by hackers to start phone calls to random numbers. They can also block victims from ending the call.
Collin Mulliner, a security researcher, said the flaw is related to the webview and the behavior of this component handled by some iOS applications. WebView is a web browser integrated into mobile apps. The developers integrate the web technology in their apps which allows displaying web pages inside the application without needing third-party web browsers.
According to Mulliner, an attacker lures the victim into opening a specially crafted website via a vulnerable app to make calls from the victim’s device. The malicious website redirects the target to a Tel URI, which calls to any specified number. This part of the attack only requires one line of HTML code. However, the victim can quickly end the call once the arbitrary number is dialed.
In 2008, Mulliner reported a similar vulnerability in Apple’s Safari that allowed attackers initiate random phone calls and freeze victim’s mobile graphical interface unit to prevent them from ending the call. Apple, later on, fixed the issue with iOS 3.0.
The researcher identified the bug has resurfaced and it allowed him to tweak his old proof-of-concept (POC) to start calls from LinkedIn and Twitter iOS apps and block the user from ending the call.
“The trick is to cause the Operating System to open the second application while the phone is dialing the given number. Opening apps are pretty straight forward; you open a URL that causes the OS to spawn another application,” Collin Mulliner explained, “This can be anything from the messages app (via the SMS: URL) or iTunes (via the items-apps: URL). You can get any application to launch that has a URI binding. In 2008 I used an SMS URL with a long phone number to block the UI thread.”
Mulliner demonstrated the vulnerability in LinkedIn and Twitter, but he believes other vulnerable iOS apps could be affected. The apps that open the links in third-party web browsers such as Chrome and Safari are not impacted.
https://www.youtube.com/watch?v=oYDfe_P9uAQ
https://www.youtube.com/watch?v=WuFx4lxF8DY
Mulliner reported Twitter of his findings through bug bounty program, but the company marked it as duplicate without any comment. He also notified Apple and LinkedIn about the vulnerability but did wait for them to release patches before going public.
Apps such as Dropbox, Yelp, and Safari informs the user before making a phone call to confirm the action; Mulliner believes that other apps should apply the same. Also, Apple should take steps to stop this type of WebView vulnerability.
Mulliner started his research after hearing news about the 18-year old teen who used a similar ‘exploit’ to prank his friends. However, the teen ended up arrested because he inadvertently triggered calls to 911 which caused disruptions to emergency services.
“DoSing 911 is pretty much terrible, but there are other examples like expensive 900 numbers where the attacker can make money. A stalker can force his victim to dial his phone number, so he gets his victim’s number. Altogether things you don’t want to happen,” Mulliner said.
Share this article
About the Author
Peter Buttler an Infosec Journalist and Tech Reporter, Member of IDG Network. In 2011, he completed Masters in Cybersecurity and technology. He worked for leading security and tech giants as Staff Writer. Currently, he contributes to a number of online publications, including The Next Web, CSO Online, Infosecurity Mag, SC Magazine, Tripwire, GlobalSign CSO Australia, etc. His favorite areas Online Privacy, AI, IoT, VR, Blockchain, Big Data, ML, Fintech, etc. You can follow him on twitter.
More from Peter ButtlerRelated Posts
Passengers’ Data Stored on User Devices, not on DigiYatra Storage, says India Govt
KEY TAKEAWAYS Unblocking streaming content from Amazon Prime is easy only if you know the reliable V...
NCSC Chief: Clear Rules Needed to Prevent Cyberspace Conflict and Struggle
A safe and secure digital world necessitates a clear definition and enforcement of international cyb...
‘Revive’ has been upgraded to a banking Trojan on Android
This month, Cleafy’s security researchers discovered a new Android Banking Trojan in the wild....
Asian Industrial Control Systems Targeted by Hackers Using the Shadowpad Backdoor
Unpatched Microsoft Exchange servers in various Asian countries were the target of an attack campaig...
Data Breaches Could Occur Due to Kubernetes Misconfigurations That Were Leaked.
Over 900,000 Kubernetes (K8s) have been discovered to be vulnerable to malicious scans and/or data-e...
Attacks by Cybercriminals Will Become the Main Threat in 2024. Privacy Issues Tendencies
Internet Privacy is the main Concern today Advertisers track your online activities and interf...