Security researchers at SPI Labs are warning iPhone users not to use a special feature that lets them dial telephone numbers over the Web using the iPhone’s Safari browser.
Safari on iPhone gives iPhone users an easy way to dial phone numbers listed on Web pages, but SPI Labs has found a way that attackers could use to exploit a bug in this feature to trick a user into making phone calls to expensive “900” numbers or even keep track of phone calls made by the victim over the Web. Also, the iPhone could be stopped from dialing out, or set to dial out endlessly.
All iPhones could be affected.
Apple iPhone users would have to visit a malicious website or visit a legitimate Web site that has been hacked (by a cross-site scripting attack) to send untrustworthy information to the iPhone.
SPI is not releasing detailed information on how the web dialing feature could be hacked, but the company contacted Apple on July 6 and is working to fix the security flaw.
See also …
Blog Advisory from SPI Labs
SPI Dynamics Official Site (spidynamics.com)