iOS phone phlaw can UNMASK anonymous users on social media

Facebook, Google ... nobody read TFM, says security chap

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Apple iThing users can be identified, images of their faces captured and their phones forced to call numbers – all thanks to coding schemes affecting Facebook, Google, and Twitter, among other sites and services, security researchers say.

Attackers and pranksters can force iOS coding schemes to send an SMS or an instant message through Facebook, Google Plus or GMail which, when opened, made the victims phone place a call without first triggering a prompt confirming the action.

The flaw can also be used to unmask anonymous Twitter users by baiting them to open links which would in turn force their devices to place phone calls.

FaceTime calls can also be placed, allowing an attacker to potentially capture a still image of a victims' face.

These attacks can be crafted to trigger the action without any interaction from the victim, save for the visiting the page.

Apple has detailed the problem in its guidance:

"When a user taps a telephone link in a webpage, iOS displays an alert asking if the user really wants to dial the phone number and initiates dialing if the user accepts. When a user opens a URL with the tel scheme in a native app, iOS does not display an alert and initiates dialing without further prompting the user," the document reads.

The document also explains that something called the "tel URL scheme is used to launch the Phone app on iOS devices and initiate dialing of the specified phone number."

The problem came to light when security researcher Ravi Borgaonkar suggested Google and Facebook may not have read the manual or perhaps ignored how the tel scheme works.

"I instantly assumed people do read documentation so there was no way a big player like Facebook, Twitter, Google, LinkedIn, ectera would make such a silly mistake ... but I was wrong," Borgaonkar wrote.

"While I only tested on a few apps which are big names, it is safe to assume that the smaller teams and platform haven't even thought about preventing this."

Borgaonkar has posted a demo of the flaw working its evil magic on Facebook here (GIF).

Independent security bod Guillaume Ross (@gepeto42) said Apple added a warning that a Facetime call was about to be made not in the application itself, but in its Safari web browser, meaning other third party browsers and apps could still be exposed to issuing silent Facetime phone calls.

Credit: Ross

Credit: Ross

Ross reported the risk to developers of the small One Password browser who promptly fixed the flaw, but Google said it was not a Chrome problem and suggested Apple should fix it within Facetime.

Pranksters could also overwrite text files on a user's iCloud account by guessing a file's name (such as important.txt or notes.txt) and crafting a website that used the byword iOS scheme.

Ross found similar issues in Twitter (or any app that uses UIWebview or Webkit) that he could exploit to force users to follow accounts, a feat that could tie users to their anonymous Twitter profiles.

"If you want to know who a real Twitter user is, just send them a link that has an inline frame [and] as soon as they click on the link the call is established and you know who he is," Ross said. "If you need to know someone's phone number, it's really useful."

The first of these iOS coding issues was discovered by researcher Nitesh Dhanjani in 2010 who found that Skype could be made to place calls from iframes without user intervention. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.