Saturday, July 21, 2007

Apple iPhone Safari Web Dialer not safe to use

Security experts have claimed that the Apple iPhone’s web dialer accessible from the Safari web browser is not safe to use.

Billy Hoffman, the lead researcher at SPI Labs has said in a report that these calls can be tracked. Hackers can even prevent these calls from getting made at all. In addition, these calls can also be rerouted to 900-numbers.

Hoffman added that a flaw in the system can also allow hackers to put the iPhone in an infinite loop where it continues to try making calls until the user actually turns the device off.

He further wrote in his advisory: “These types of attacks can be launched from a malicious Web site, from a legitimate Web site that has Cross-Site Scripting vulnerabilities, or as part of a payload of a Web application worm. For example, an attacker could determine that a specific Web site visitor ‘Bob’ has called an embarrassing number, such as an escort service. An attacker can also trick or force Bob into dialing any other telephone number without his consent, such as a 900-number owned by the attacker or an international number. Finally, an attacker can lock Bob’s phone, forcing Bob to either make the call or hard-reset his phone, resulting in possible data loss.”

He added that they have contacted Apple about this problem and they are working on a fix for the iPhone.

No comments: