iPhone Flaw Can Reportedly Be Exploited to Automatically Make Calls

Advertisement
By NDTV Correspondent | Updated: 25 August 2014 12:48 IST
A potential flaw in the way Apple makes life easier for users and app developers could be exploited to force devices to automatically make premium calls, inflating the phone bills of victims and, in some cases, stealing their identities.

Apple allows apps to make phone calls when a user taps a number on screen, by identifying actionable text with tags called URIs (Uniform Resource Identifiers). Calls can be placed without a confirmation dialog popping up when the scheme is used within apps. Such functionality was designed for search and listings apps. However, it has also been used for messaging and communications apps, such that when a person sends someone else a phone number, the recipient can tap it to call it.

Security researcher Andrei Neculaesei has now demonstrated that attackers can abuse the "tel:" URI scheme by packaging JavaScript along with the target URI which automatically executes the call without waiting for a user to tap anything. With no an OS-level warning in place, an attacker could force phones to dial premium numbers which are instantly picked up on the receiving end, and collect money which would be charged to the victims' phone bills.

An attacker would only have to send out spam messages with a disguised URL to the manipulated code for the scheme to work. In a post to his website, reported by Engadget, Neculaesei demonstrates the flaw at work in the Facebook Messenger, Gmail and Google+ apps running on an iPhone. Dozens of similar apps might be similarly vulnerable

Rather than blame Apple exclusively, Neculaesei blames the app developers for using the tel: URI irresponsibly. The exact design of the scheme is documented by Apple, and an alternative which forces a prompt, telprompt:, also exists. Apple's URI implementation is meant to give app developers options so that users are not inconvenienced by confirmation dialogs for every call they try to place through an app's interface.

The feature (or bug) takes on a more serious tone when used to trigger FaceTime calls. Users could be tricked into placing video calls which are picked up instantly, at which point screenshots of their faces could be saved without their knowledge.

While the problem is not the result of a traditional security flaw or bug, Apple could force prompts in all cases to mitigate the issue, although this would annoy users.
Post your comments

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Further reading: Apple, Facebook, Gmail, Google, iOS, iOS security, iPhone, iPhone security, scam
Intex Cloud FX Firefox OS Smartphone Launched at Rs. 1,999
Hackers Target Games to Find Ways to Cheat
Advertisement

Related Stories

iPhone 18 Pro Max Could Sport Familiar Design With Subtle Changes to Camera Module, Leaked Dummy Shows
24 April 2026
iPhone 18 Could Fall Behind iPhone 17 With Older Display Material, Widening Gap With Pro Models: Report
23 April 2026
iOS 26.4.2 Update Rolled Out With Fix for Bug Used to Extract Notifications for Deleted Chats
23 April 2026
Apple Tipped to Introduce Camera Upgrades Through 2028; iPhone 18 Pro Could Lead Shift to Advanced Imaging
23 April 2026
Control Ultimate Edition Arrives on iPhone and iPad With Touch Controls, Universal Purchase
22 April 2026
Popular on Gadgets
Latest Gadgets
Popular Mobile Brands
#Trending Stories
  1. OTT Releases This Week: 24, Band Melam, Nukkad Naatak, Prathichaya, and More
  2. Vivo Y6 5G Debuts With 7,200mAh Battery, 6.75-Inch Screen at This Price
  3. Redmi Note 17 Pro Max Leak Reveals Chipset, Camera Details
  4. Leaked Dummy Gives Us an Early Look at the Design of the iPhone 18 Pro Max
  5. Jio Launches Youth and Gaming Plan With Snapchat+ and These Benefits
  6. Instagram Launches Instants App With Disappearing Photos to Rival Snapchat
  7. Honor MagicPad 3 Pro 12.3 Debuts With 10,100mAh Battery, Slim 4.8mm Profile
#Latest Stories
  1. Realme C100x Tipped to Launch in India Soon as Key Specifications and Design Surface Online
  2. Morgan Stanley Announces MSILF Stablecoin Reserves Portfolio for Issuers
  3. Jio Youth and Gaming Plan With Snapchat+, FanCode and Gemini Pro Launched: Price, Benefits
  4. Infinix GT 50 Pro Launched With Dimensity 8400 Ultimate, HydroFlow Liquid Cooling, Shoulder Triggers: Price, Features
  5. Adobe Previews New Agentic AI Workflows for Marketing Tasks at Adobe Summit 2026
  6. Microsoft Gaming Rebrands to Xbox, Debuts New Logo as Xbox Chief Says Company Reevaluating Exclusive Games
  7. Instagram Launches Instants App With Disappearing Photos to Rival Snapchat, BeReal
  8. Prathichaya (2026) Now Streaming Online: What You Need to Know
  9. Vivo X500 Series Tipped to Launch With 144Hz Displays, Ultrasonic Fingerprint Scanners
  10. Kelp Exploit Aftermath: DeFi Protocols Join Hands to Restore rsETH Following $293 Million Hack
Gadgets 360 is available in
Follow Us
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.