App security flaw makes your iPhone call without asking

Facebook Messenger

If you're an iPhone user, you may want to be cautious about opening messages that contain phone numbers in the near future; they may cost you a lot of money. Developer Andrei Neculaesei notes that maliciously coded links in some apps will abuse the "tel" web handler (which covers dialing) to automatically make a phone call the moment you view a message. Potentially, an evildoer could force you to call an expensive toll number before you've had a chance to hang up. The exploit isn't limited to any one app or developer, either. Facebook Messenger, Gmail and Google+ all fall prey to the attack, and it's likely that other, less recognizable apps exhibit similar behavior. Apple's Safari browser will ask you before starting a call, but FaceTime's behavior lets you pull a similar (though not directly related) stunt.

In many cases, it's the developers who are to blame. They're supposed to put tighter controls on what happens when a number comes in, such as giving you a warning. However, Apple could theoretically mitigate the issue by requiring prompts for all phone links. You may not have to worry about a spam flood in practice, but let's hope app writers act quickly -- as Android users have already learned, "tel" exploits can cause a lot of grief if left unchecked.