We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,821 News Articles

iPhone's Safari web dialler is hack target

Apple iPhone users told of cross-scripting hack

Users of Apple's iPhone have been warned against using a feature that lets them dial telephone numbers over the web using the iPhone's Safari browser.

The feature was created to give iPhone users a simple way to dial phone numbers listed on web pages, but according to security researchers at SPI Labs, the feature could be misused.

Attackers could exploit a bug in this feature to trick a victim into making phone calls to expensive '900' numbers or even keep track of phone calls made by the victim over the web, said Billy Hoffman, lead researcher with SPI Labs. The iPhone could even be stopped from dialling out, or set to dial out endlessly, he said.

"Because this vulnerability can be launched from websites, everybody who has an iPhone has the potential to get exploited," Hoffman said

In order for the attack to work, the bad guys would have to either trick iPhone users into visiting a malicious website or make a legitimate website send untrustworthy information to the iPhone using what's known as a cross-site scripting attack. "Any time someone could control the content that's getting sent to the iPhone [the possibility of an attack] exists," Hoffman said.

SPI is not releasing detailed information on how the web dialling feature could be exploited, but the company contacted Apple on July 6 and is working with the iPhone maker to prevent these types of attacks, Hoffman said. Apple could not be reached immediately for comment.

Because Apple is encouraging software developers to write Safari-based web applications for the iPhone, Safari has come under particular scrutiny from iPhone hackers.

Researchers had previously noted that Safari could be used to misdial numbers, but Hoffman's post suggests that this could be done more easily than previously thought.

Not everybody thought the SPI findings were groundbreaking, including Dave Aitel, chief technology officer with Immunity. "If you can make calls from the web browser, you can make fake calls from the web browser," he said via instant message.

So should iPhone users stop using the web to place calls? "Yes," said Aitel. "If they know a lot of hackers and are a special target."

See also:

Apple iPhone to launch in UK 'in September'

Cybercriminals target Apple iPhone fever

Hackers fail on early iPhone crack promise


IDG UK Sites

Android One vs Android Silver vs Google Nexus: What is the difference?

IDG UK Sites

Apple updates MacBook Pro line-up: Price cuts & spec boosts for 6 MacBook Pro models

IDG UK Sites

Long live the internet fridge: the Internet of Things is coming

IDG UK Sites

How Prometheus' colourist Juan Ignacio Cabrera gave a tense, edgy feel to Chosen