Twitter, LinkedIn iOS applications can end up leveraged by attackers to place calls.
In addition, the attacker can also prevent the victim from ending the call, researchers said.
The cause of the vulnerability falls on WebView and how the component ends up handled by some iOS applications, said security researcher Collin Mulliner.
WebView is a browser integrated into mobile apps. It allows developers to build their apps with web technologies, and it’s often used to display web pages inside an application without the need for third-party browsers.
An attacker who can convince a user to open a specially crafted webpage via a vulnerable app can make phone calls from the victim’s device, Mulliner said. The attack website needs to redirect the victim to a TEL URI, which initiates a call to a specified number. This part of the attack involves only one line of HTML code, but the victim can easily end the call once the number is dialed.
In 2008, Mulliner informed Apple of a similar Safari vulnerability that allowed attackers not only to initiate phone calls, but also to prevent the victim from canceling the call by freezing the phone’s graphical user interface for a few seconds. At the time, Apple addressed the issue with the release of iOS 3.0.
The researcher determined this bug resurfaced and he managed to tweak his old proof-of-concept (PoC) exploit to initiate calls from the Twitter and LinkedIn iOS apps and prevent the user from canceling the call. He published demonstration videos for both applications.
“I got a very simple auto phone dialer working in a very short time, Mulliner said in a blog post. “I was happy and also devastated that it was that easy.”
“The trick is to cause the OS to open a second application while the phone is dialing the given number. Opening applications is pretty straight forward, you open a URL that causes the OS to spawn another application,” Mulliner said in a blog post. “This can be anything from the messages app (via the SMS: URL) or iTunes (via the itms-apps: URL). You can pretty much get any application to launch that has a URI binding. In 2008 I used a SMS URL with a really really long phone number to block the UI thread.”
Mulliner reproduced the vulnerability in Twitter and LinkedIn, but he believes other iOS apps could be affected. Applications that open links in third party browsers, such as Safari and Chrome, do not suffer from the issue.
The expert informed Twitter of his findings via the company’s bug bounty program on HackerOne, but the social media giant marked it as duplicate this week without any comment. He also notified LinkedIn and Apple of the vulnerability, but did not wait for them to release patches before making the issue public.
Applications such as Safari, Dropbox and Yelp warn the user that a phone call is about to be made and prompts them to confirm the action, and the researcher believes other apps should do the same. In addition to app developers, Apple should take steps to prevent this type of WebView abuse.