A bug in the way that iOS WebView handles some kinds of links can be used to force a victim’s iPhone to call a number controlled by an attacker, such as a premium-rate number, a security researcher has found.
The vulnerability lies in the way that WebView treats some links, specific phone number links in apps. Some apps will open links in browser windows, while others will do so in the WebView inside the app. Researcher Collin Mulliner looked at the way that WebView handles phone number links in apps such as Twitter and LinkedIn and discovered that he could force a phone to dial a number and also hide the phone user interface so that the victim can’t stop the call. Mulliner originally discovered a similar problem in 2008 and reported it to Apple, which published a fix at the time.
But there’s still a problem with how iOS WebView handles these links. Mulliner looked at it again in the last few days after seeing news reports about a man who triggered an accidental DoS attack against a 911 system using the bug. An attacker could use the problem to get victims to call a premium-rate number he controls in order to rack up charges.
“During the weekend I took some time to further investigate the issue. I determined that this might be a general issue with iOS apps the use WebViews to display content. I tested a few popular apps I had installed. Vulnerable apps need a way for users to post web links that will be opened in a WebView inside the app itself. Apps that open links in mobile Safari or Chrome would not be vulnerable (I tested this). One app I tested fairly early was the LinkedIn app since LinkedIn basically is social media for the business context. People can send messages and post updates. Updates usually are text and link. I posted a link and clicked it and yes it dialed my other phone,” Mulliner said in a post on the issue.
“The beauty of my 2008 bug was that I could block the phone’s UI for a few seconds and therefore prevent the user from canceling the call. I managed to abuse exactly the same trick to block the UI that I used in 2008. The trick is to cause the OS to open a second application while the phone is dialing the given number. Opening applications is pretty straight forward, you open a URL that causes the OS to spawn another application. This can be anything from the messages app (via the SMS: URL) or iTunes (via the itms-apps: URL). You can pretty much get any application to launch that has a URI binding.”
Mulliner tried to report the issue to LinkedIn through the company’s private bug bounty, but was not a member of the bounty program. He did report it to Twitter, which he said closed the issue on Tuesday without comment. He said the problem needs to be addressed by both app developers and Apple itself.
“App developers have to add a check to their webview code and show a dialog before dialing a number. Apple should add a dialog to the phone dialing code and have app developers jump through hoops to remove it. Apple should switch to a secure default,” Mulliner said via email.
For users, there’s not a very good defense available right now, he said.
“Basically not clicking on ‘random’ links especially from people they don’t know. I know this is unrealistic,” he said.