If you own an iPhone, there’s a very good chance that you have at least one app that makes you vulnerable to a new security risk. According to the researcher who discovered the flaw in iOS, it could be targeted from just about any messaging app that’s available from the App Store… and there’s no shortage of those.
Security researcher Collin Mulliner revealed the vulnerability in a post on his blog this week after reports to several companies were met with very little enthusiasm. The bug exists in an iOS component called WebView, which allows developers to display web-based content within their own apps using Apple’s built-in Safari browser.
The attack, according to Mulliner, is quite easy to pull off. “It’s absolutely simple. Anybody can do this,” he said. All a hacker has to do is send a link to a web page that contains specially-crafted HTML code. The victim taps the link, the code is executed, and the compromised iPhone places the call.
Here’s his demonstration of the flaw being exploited from inside the Twitter app:
And here from within LinkedIn:
A Simple Little Bug With Big Profit Potential
What’s the big deal with a flaw that lets someone make calls from your phone? If you happen to not be paying attention and an attacker dials out to a premium-rate phone number, that’s coming out of your pocket. That may seem like a farfetched scenario, but it really isn’t. Several malware strains that surreptitiously send SMS or MMS messages to steal money from victims have popped up over the years.
The bottom line is that if hackers think there’s any possible way to turn a vulnerability into a quick payday — even a small one — they’re going to exploit it.
Not Necessarily All About The Benjamins
There’s another reason a hacker might want to be able to force phones to make calls: launching a DDoS attack. While websites and Internet-connected services are typically targeted by DDoS attacks, phone system aren’t immune. Just last month, an 18-year-old hacker from Arizona was arrested and charged with computer tampering after flooding the Phoenix metro area’s 911 system. [Forbes]