Security company warns against using iPhone's web dialer
The iPhone has a great new feature, and since it is a combination phone and browser, the feature can work really well for most users. But like any other new great feature, there is tremendous capability for misuse, and seeing the ease of misuse, security companies are warning users against using this feature, or to be very careful when using this feature.
What is the feature? Well, the iPhone uses Safari as a web browser. Now, if the web site displays a phone number, all that the user has to do is to click on the phone number in the browser, and the number will get dialed. This is a great feature, but so is the scope for misuse. Imagine the phone in the hand of a neophyte who is viewing some 'interesting' site on the browser, and there is a number displayed along with a catchy slogan. Press the number, and if the number is an international number, or a fraud number, the calls could become very expensive very soon.
Attackers could exploit a bug in this feature to trick a victim into making phone calls to expensive "900" numbers or even keep track of phone calls made by the victim over the Web, said Billy Hoffman, lead researcher with SPI Labs. The iPhone could even be stopped from dialing out, or set to dial out endlessly, he said.
In order for the attack to work, the bad guys would have to either trick iPhone users into visiting a malicious Web site or make a legitimate Web site send untrustworthy information to the iPhone using what's known as a cross-site scripting attack. "Any time someone could control the content that's getting sent to the iPhone [the possibility of an attack] exists," Hoffman said.
It is not as difficult as it looks. It is actually as easy as letting the iPhone be used by a child or by somebody else who is not so experienced, and it is not difficult to create a site that will look attractive and feature this kind of mischief. But as of now there is no way to prevent it, so being careful is the only good way of dealing with this problem.
No comments:
Post a Comment