Beware the iPhone/Safari dialer

Summary:One of the iPhone's most nifty features -- dialing any phone number by simply tapping on a Web page -- can be its most sinister.

Beware the iPhone/Safari dialer
One of the iPhone's most nifty features -- dialing any phone number by simply tapping on a Web page -- can be its most sinister.

[ SEE: The iPhone security non-story ]

Security researchers at SPI Labs says this feature can be exploited by hackers to pull off nefarious stunts like redirecting phone calls placed by the user to different phone numbers of the attacker's choosing; tracking phone calls placed by the user; tricking the phone into placing a call without the user accepting the confirmation dialog; or placing the phone into an infinite loop of attempting calls, through which the only escape is to turn off the phone.

GALLERY: How to run Apple's Safari browser securely

SPI Labs lead researcher Billy Hoffman, a Web application security specialist, warned that these types of attacks can be launched from a malicious website, from a legitimate website that has CSS (cross-site scripting) vulnerabilities, or as part of a payload of a web application worm.

For example, an attacker could determine that a specific website visitor “Bob” has called an embarrassing number such as an escort service. An attacker can also trick or force Bob into dialing any other telephone number without his consent such a 900-number owned by the attacker or an international number. Finally, an attacker can lock Bob’s phone forcing Bob to either make the call or hard-reset his phone resulting in possible data loss.

"SPI Labs recommends that iPhone users do not use the built-in Safari browser to dial telephone numbers until Apple resolves these issues," Hoffman said.

Topics: Mobility


Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.