| |
The SPI laboratory : SPI Labs advises avoiding iPhone feature
by Acidus at 11:39 am EDT, Jul 17, 2007 |
The Apple iPhone’s Safari web browser has a special feature that allows the user to dial any phone number displayed on a web page simply by tapping the number. SPI Labs has discovered that this feature can be exploited by attackers to perform various attacks, including: * Redirecting phone calls placed by the user to different phone numbers of the attacker’s choosing
* Tracking phone calls placed by the user
* Manipulating the phone to place a call without the user accepting the confirmation dialog
* Placing the phone into an infinite loop of attempting calls, through which the only escape is to turn off the phone
* Preventing the phone from dialing These types of attacks can be launched from a malicious website, from a legitimate website that has Cross-Site Scripting vulnerabilities, or as part of a payload of a web application worm. For example, an attacker could determine that a specific website visitor “Bob” has called an embarrassing number such as an escort service. An attacker can also trick or force Bob into dialing any other telephone number without his consent such a 900-number owned by the attacker or an international number. Finally, an attacker can lock Bob’s phone forcing Bob to either make the call or hard-reset his phone resulting in possible data loss.
Told you it would mention an escort service. |
| |
RE: The SPI laboratory : SPI Labs advises avoiding iPhone feature
by Worthersee at 1:37 pm EDT, Jul 17, 2007 |
Acidus wrote: For example, an attacker could determine that a specific website visitor “Bob” has called an embarrassing number such as an escort service. An attacker can also trick or force Bob into dialing any other telephone number without his consent such a 900-number owned by the attacker or an international number. Finally, an attacker can lock Bob’s phone forcing Bob to either make the call or hard-reset his phone resulting in possible data loss.
Told you it would mention an escort service.
Should of said:
For example, an attacker could determine that a specific website visitor “Dick” has called an embarrassing number such as an escort service. |
|
| |
RE: The SPI laboratory : SPI Labs advises avoiding iPhone feature
by dc0de at 5:07 pm EDT, Jul 18, 2007 |
Acidus wrote: The Apple iPhone’s Safari web browser has a special feature that allows the user to dial any phone number displayed on a web page simply by tapping the number. SPI Labs has discovered that this feature can be exploited by attackers to perform various attacks, including: * Redirecting phone calls placed by the user to different phone numbers of the attacker’s choosing
* Tracking phone calls placed by the user
* Manipulating the phone to place a call without the user accepting the confirmation dialog
* Placing the phone into an infinite loop of attempting calls, through which the only escape is to turn off the phone
* Preventing the phone from dialing These types of attacks can be launched from a malicious website, from a legitimate website that has Cross-Site Scripting vulnerabilities, or as part of a payload of a web application worm. For example, an attacker could determine that a specific website visitor “Bob” has called an embarrassing number such as an escort service. An attacker can also trick or force Bob into dialing any other telephone number without his consent such a 900-number owned by the attacker or an international number. Finally, an attacker can lock Bob’s phone forcing Bob to either make the call or hard-reset his phone resulting in possible data loss.
Told you it would mention an escort service.
Acidus, Why are you picking on Ford motor vehicles? What's wrong with the escort? |
|
SPI Labs advises avoiding iPhone feature
by Decius at 6:47 pm EDT, Jul 16, 2007 |
The Apple iPhone’s Safari web browser has a special feature that allows the user to dial any phone number displayed on a web page simply by tapping the number. SPI Labs has discovered that this feature can be exploited by attackers to perform various attacks, including: * Redirecting phone calls placed by the user to different phone numbers of the attacker’s choosing
* Tracking phone calls placed by the user
* Manipulating the phone to place a call without the user accepting the confirmation dialog
* Placing the phone into an infinite loop of attempting calls, through which the only escape is to turn off the phone
* Preventing the phone from dialing
|
SPI Labs advises avoiding iPhone feature
by Rattle at 10:42 am EDT, Jul 17, 2007 |
The Apple iPhone’s Safari web browser has a special feature that allows the user to dial any phone number displayed on a web page simply by tapping the number. SPI Labs has discovered that this feature can be exploited by attackers to perform various attacks, including: * Redirecting phone calls placed by the user to different phone numbers of the attacker’s choosing
* Tracking phone calls placed by the user
* Manipulating the phone to place a call without the user accepting the confirmation dialog
* Placing the phone into an infinite loop of attempting calls, through which the only escape is to turn off the phone
* Preventing the phone from dialing
Oops, Billy did it again! |
|
|
