A security researcher has discovered a bug in the iOS WebView that will allow an attacker to force an iPhone to dial any number and lock the phone’s interface so that the outgoing call can’t be cancelled.
The issue has been raised by Collin Mulliner (opens in new tab), who encountered a similar bug in the Safari browser in 2008 which was then fixed in the iOS 3 update. Mulliner decided to look back into the bug, he said, after reading a news story about a teenager who was arrested for apparently inadvertently exploiting a similar bug to flood 911 call centers across the US with calls.
Mulliner found that the bug is slightly different to the one he uncovered in 2008 but believes he’s discovered how it works.
Apps should ask first
The bug is first initiated when an iPhone user clicks a malicious link posted within apps such as Twitter and LinkedIn, which use the iOS WebView component to open an in-app web page rather than an external browser like Safari or Chrome.
The link takes the user to a webpage which forces the iPhone to dial the number embedded there and the page repeatedly reloads, freezing the device and making it impossible to cancel the call.
The reason the iPhone is forced to dial the number is because the links in these apps are opened by WebView which auto-dials embedded numbers, unlike Safari which solved the previous iteration of the bug by asking the user via a pop up if they want to dial a number first.
Exploiting the bug to DoS 911 call centers is certainly terrible, but Mulliner warns its not the only possible use of it, suggesting that such links could also take users to webpages embedded with expensive 900 numbers which would allow attackers to make money from victims.
He even theorizes that a stalker could send a link embedded with their own number to their victim in order to force a call which would then provide the stalker with the victim’s number.
In a blog post, Mulliner states he’s reported the bug to Apple but has also contacted LinkedIn and Twitter with his findings as he believes that app developers at that very least can review their use of WebView until Apple is able to change its default behavior. We hope they issue a patch quickly, it doesn't sound like this cloud has any silver linings.
Mulliner has posted a video of the bug in action, which you can watch below: