Facebook is already working to fix forced-call iPhone app vulnerability

Facebook Messaging
Apparently everyone hating it is not Facebook Messenger's only problem

Updated: A Facebook spokesperson told TechRadar that the social network has already prepared an update to address the issue described below, in which clicking a web link from native iPhone apps can force your phone to automatically make a call, potentially to expensive or harmful numbers.

Facebook's iOS app fix should go out any time now, but that still leaves many other apps vulnerable.

Original story follows…

Ideally tapping on a phone number on your iPhone will prompt a pop-up asking whether you want to place a call, but one developer says he found a dangerous vulnerability in apps that don't ask first.

This security hole could let attackers force your phone to make a call when you click on a website link, potentially connecting your phone to expensive numbers without warning.

Developer Andrei Neculaesei of Copenhagen company Airtame described the issue on his blog, demonstrating how he created a web page with a link that opens a phone call automatically when accessed from certain native iOS apps.

It reportedly works because these apps, including Facebook Messenger, Apple's Facetime, Google+, Gmail, and others, don't issue a pop-up when users tap a phone number within them.

Hello Pretty!

Neculaesei says he used "some sneaky-beaky-like JavaScript" to make links embedded in websites click themselves. When those sites are accessed through apps other than Safari, the links automatically activate and the calls are placed.

He imagines even more severe dangers than being charged for expensive calls, like users accessing a link through Facetime and automatically transmitting a live video feed to attackers - a tactic he's named "Hello Pretty!"

"Facetime calls are instant," he writes. "Imagine you clicking a link, your phone calls my (attacker) account, I instantly pick it up and (yes) save all the frames. Now I know how your face looks like and maybe where you are. Hello pretty!"

He also warns that although this applies to far more apps than the four he mentions, it's not only Apple's fault, since third-party app developers can configure their software to prompt users when a phone number is tapped.

Many, including big names like Google and Facebook, simply choose not to, but that could very well change in light of this discovery. We've asked Google, Facebook and Apple for comment, and we'll update here if we hear back.

Facebook forcing us to download Messenger is a brilliant move

Via PC World

Michael Rougeau

Michael Rougeau is a former freelance news writer for TechRadar. Studying at Goldsmiths, University of London, and Northeastern University, Michael has bylines at Kotaku, 1UP, G4, Complex Magazine, Digital Trends, GamesRadar, GameSpot, IFC, Animal New York, @Gamer, Inside the Magic, Comic Book Resources, Zap2It, TabTimes, GameZone, Cheat Code Central, Gameshark, Gameranx, The Industry, Debonair Mag, Kombo, and others.


Micheal also spent time as the Games Editor for Playboy.com, and was the managing editor at GameSpot before becoming an Animal Care Manager for Wags and Walks.