Latest in Apple

Image credit:

App security flaw makes your iPhone call without asking

Jon Fingas, @jonfingas
August 24, 2014
Share
Tweet
Share

Sponsored Links

If you're an iPhone user, you may want to be cautious about opening messages that contain phone numbers in the near future; they may cost you a lot of money. Developer Andrei Neculaesei notes that maliciously coded links in some apps will abuse the "tel" web handler (which covers dialing) to automatically make a phone call the moment you view a message. Potentially, an evildoer could force you to call an expensive toll number before you've had a chance to hang up. The exploit isn't limited to any one app or developer, either. Facebook Messenger, Gmail and Google+ all fall prey to the attack, and it's likely that other, less recognizable apps exhibit similar behavior. Apple's Safari browser will ask you before starting a call, but FaceTime's behavior lets you pull a similar (though not directly related) stunt.

In many cases, it's the developers who are to blame. They're supposed to put tighter controls on what happens when a number comes in, such as giving you a warning. However, Apple could theoretically mitigate the issue by requiring prompts for all phone links. You may not have to worry about a spam flood in practice, but let's hope app writers act quickly -- as Android users have already learned, "tel" exploits can cause a lot of grief if left unchecked.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

A number of first-party Nintendo Switch games are on sale at GameStop

A number of first-party Nintendo Switch games are on sale at GameStop

View
Tom Hanks: 'Absolute heartbreak' that 'Greyhound' won't debut in theaters

Tom Hanks: 'Absolute heartbreak' that 'Greyhound' won't debut in theaters

View
Microsoft and Bridgestone launch real-time tire damage system

Microsoft and Bridgestone launch real-time tire damage system

View
Facebook is shutting down its Pinterest-like experimental app

Facebook is shutting down its Pinterest-like experimental app

View
‘Assassin’s Creed Valhalla’ gameplay footage surfaces in leaked videos

‘Assassin’s Creed Valhalla’ gameplay footage surfaces in leaked videos

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr