CNET también está disponible en español.

Ir a español

Don't show this again

Best Black Friday 2020 deals PS5 restock Xbox Series X in stock HomePod Mini vs. Echo Dot vs. Nest Mini Tile Black Friday Best Amazon Black Friday deals Best Black Friday Apple deals

iPhone's Safari dialing feature can be hacked

Feature designed to dial Web page phone numbers is subject to cross-site scripting attack.

Intended to be a convenience, the unique dialing feature included in the iPhone version of the Safari browser might soon become a nightmare.

SPI Labs' lead researcher Billy Hoffman says that the feature that is designed to dial any number displayed on a Web page after a user taps it is subject to various attacks, including cross-site scripting and drive-by downloads. This issue was first reported to Apple on July 6, but Hoffman believes the "unique urgency" and its potential to affect a large number of people warranted public disclosure.

Potential uses of this vulnerability cited by Hoffman include the ability to redirect free calls to fee-based phone numbers, track phone calls, manipulate the confirmation screen to place a call even if a user doesn't accept, place a phone in an infinite loop where the only escape is to turn off the phone or prevent the phone from dialing.

In a blog, Hoffman offers a few real-world scenarios. "For example, an attacker could determine that a specific Web site visitor "Bob" has called an embarrassing number such as an escort service. An attacker can also trick or force Bob into dialing any other telephone number without his consent such as a 900-number owned by the attacker or an international number. Finally, an attacker can lock Bob's phone forcing Bob to either make the call or hard-reset his phone resulting in possible data loss."

Until Apple resolves these issues, SPI Labs recommends avoiding the feature in Safari that allows iPhone users to make calls by not tapping phone numbers on a Web page.