The iOS apps for LinkedIn, Twitter, and possibly be many other vendors can be squandered by hackers to start phone calls to random numbers. They can also block victims from ending the call.
Collin Mulliner, a security researcher, said the flaw is related to the webview and the behavior of this component handled by some iOS applications. WebView is a web browser integrated into mobile apps. The developers integrate the web technology in their apps which allows displaying web pages inside the application without needing third-party web browsers.
According to Mulliner, an attacker lures the victim into opening a specially crafted website via a vulnerable app to make calls from the victim’s device. The malicious website redirects the target to a Tel URI, which calls to any specified number. This part of the attack only requires one line of HTML code. However, the victim can quickly end the call once the arbitrary number is dialed.
In 2008, Mulliner reported a similar vulnerability in Apple’s Safari that allowed attackers initiate random phone calls and freeze victim’s mobile graphical interface unit to prevent them from ending the call. Apple, later on, fixed the issue with iOS 3.0.
The researcher identified the bug has resurfaced and it allowed him to tweak his old proof-of-concept (POC) to start calls from LinkedIn and Twitter iOS apps and block the user from ending the call.
