iOS URL handler poses 'significant risk'
There is a flaw in Apple's iOS deals that allows an attacker to launch third party apps, according to a security researcher.
The issue, according to Nitesh Dhanjani, lies with the way Safari URL protocol handlers — referred to as URL schemes in Apple's official documentation — are used in iOS and Mac OS X.
The flaw requires user interaction to exploit with Apple apps, but the main problem lies with third party apps, said Dhanjani.
For example, Dhanjani said in a blog post that if an iPhone user was to browse a malicious website that contained the source code it would call up the dialler with the number displayed on screen, but would require the user to initiate the call. Third party apps do not fare so well, said Dhanjani.
"Now, let us assume the user has Skype.app installed. Let us also assume that the user has launched Skype in the past and that application has cached the user's credentials." Modifying the code to read has potentially more sinister consequences.
"In this case, Safari throws no warning, and yanks the user into Skype which immediately initiates the call."
An attacker can dial numbers without the knowledge of the users. In addition, "a malicious site can make Skype.app call a Skype-id who can then uncloak the victim's identity," he wrote in the post.
Dhanjani says that this is not a problem that is specific to Skype, or the 'tel:' handler, which is one of the few handlers that requests authorisation before closing the Safari browser — unlike third-party apps which have to be fully loaded before requesting authorisation. He also suggests that this has an easy fix, "Apple needs to step up and allow the registration of URL Schemes that can instruct Safari to throw an authorisation request prior to yanking the user away into the application."
Dhanjani said that he contacted Apple to inform them that this behaviour was possible on both OS X and iOS, but that the company responded saying that the onus is on third-party developers to ensure that their apps request authorisation before performing an action. The researcher said that third party developers need to be aware of the flaw.
"I feel the risk posed by how URL Schemes are handled in iOS is significant because it allows external sources to launch applications without user interaction and perform registered transactions. Third party developers, including developers who create custom applications for enterprise use, need to realise their URL handlers can be invoked by a user landing upon a malicious website and not assume that the user authorized it."
In 2008, Dhanjani contacted Apple to disclose a Carpet Bombing weakness in Safari that allows malicious websites to drop any data or binaries into the 'Downloads' folder.
The weakness remains unpatched for Safari on the Mac, but the company was forced to resolve the issue with the Windows version of the software when Microsoft's security advisory began recommending that users' shouldn't trust the browser.