NEWS
iOS Webview Problem Allows Attackers to Initiate Phone Calls
2539
2016-11-10
Posted by 3uTools

iOS Webview Problem Allows Attackers to Initiate Phone Calls


iOS developers who have embedded Apple’s WebView into mobile apps need to be aware of an exploitable issue that could allow phone calls to a number of the attacker’s choosing.


Researcher Collin Mulliner said the vulnerability is trivial to exploit, requiring at a minimum one line of HTML code. The risks to the user include ramped up charges to premium numbers, or worse, denial-of-service attacks similar to one last week that landed an Arizona man in jail for an exploit he shared on YouTube that allowed users to flood 911 call centers with calls just with one click.

Mulliner said that popular iOS apps such as Twitter and LinkedIn are vulnerable to attacks; the researcher said he also tested Facebook, WhatsApp, Snapchat and Yelp, and none of those apps were exposed. Mulliner cautioned, however, that looked at only ubiquitous iOS apps, and the potential for a much higher number of vulnerable apps is likely. “There are tons of other messengers and so many other social media apps that and those could potentially be vulnerable,” Mulliner said. “Any app that has a WebView in their app where a URL can be loaded that the user can submit to the app is potentially vulnerable. It’s absolutely simple. Anybody can do this.”

Mulliner went public with his disclosure after a private notification to Twitter resulted first in a quick acknowledgment and then a terse note saying that this was a duplicate issue and the ticket was closed. He also tried to disclose to LinkedIn’s bug bounty, but learned it was a private program and that someone from its security team would investigate. Apple also acknowledged a report from Mulliner and said it would investigate as well.


To exploit the vulnerability, an attacker would merely need to send the victim a link that would redirect to a site hosting the attacker’s HTML code. The code would initiate a call via the dialer on the device, which is similar to a bug Mulliner reported in 2008 to Twitter. Mulliner said he could also keep the user from disconnecting the call by forcing a second app to the home screen that would overlay the dialer. In a report he published Wednesday, Mulliner said his old code still worked. One line of HTML will trigger the dialer, 10 lines will hide the attack, he said.

“I thought this was solved eight years ago. Apparently it is not,” Mulliner said. “You don’t need anything special. Any version of the iPhone with the Twitter or LinkedIn app will work; no special software, just the ability to host an HTML page.”







Related Articles
Alibaba Pandora Lab Jailbreaks iOS 11.2 Successfully Rumor: Apple Blocks Activation on iOS 9.0-9.3.5 Firmware Apple Still Signing iOS 11.3 Beta 5/6, Downgrade to It to Jailbreak Your iPhone iCloud Bypass Bug Discovered in iOS 11 iOS 10.3 Jailbreak / iOS 10.3.1 Jailbreak How to Download Apple’s Official iOS IPSW with One Simple Step? Backup Your iOS Device When It's Disabled or in Password in Normal Mode Qihoo 360 Vulcan Team has Achieved iOS 11.3 Jailbreak