SPI Labs' lead researcher Billy Hoffman says that the feature that is designed to dial any number displayed on a Web page after a user taps it is subject to various attacks, including cross-site scripting and drive-by downloads. This issue was first reported to Apple on July 6, but Hoffman believes the "unique urgency" and its potential to affect a large number of people warranted public disclosure.
Potential uses of this vulnerability cited by Hoffman include the ability to redirect free calls to fee-based phone numbers, track phone calls, manipulate the confirmation screen to place a call even if a user doesn't accept, place a phone in an infinite loop where the only escape is to turn off the phone or prevent the phone from dialing.
In a blog, Hoffman offers a few real-world scenarios. "For example, an attacker could determine that a specific Web site visitor "Bob" has called an embarrassing number such as an escort service. An attacker can also trick or force Bob into dialing any other telephone number without his consent such as a 900-number owned by the attacker or an international number. Finally, an attacker can lock Bob's phone forcing Bob to either make the call or hard-reset his phone resulting in possible data loss."
Until Apple resolves these issues, SPI Labs recommends avoiding the feature in Safari that allows iPhone users to make calls by not tapping phone numbers on a Web page.