Apple iThing users can be identified, images of their faces captured and their phones forced to call numbers – all thanks to coding schemes affecting Facebook, Google, and Twitter, among other sites and services, security researchers say.
Attackers and pranksters can force iOS coding schemes to send an SMS or an instant message through Facebook, Google Plus or GMail which, when opened, made the victims phone place a call without first triggering a prompt confirming the action.
The flaw can also be used to unmask anonymous Twitter users by baiting them to open links which would in turn force their devices to place phone calls.
FaceTime calls can also be placed, allowing an attacker to potentially capture a still image of a victims' face.
These attacks can be crafted to trigger the action without any interaction from the victim, save for the visiting the page.
Apple has detailed the problem in its guidance:
"When a user taps a telephone link in a webpage, iOS displays an alert asking if the user really wants to dial the phone number and initiates dialing if the user accepts. When a user opens a URL with the tel scheme in a native app, iOS does not display an alert and initiates dialing without further prompting the user," the document reads.
The document also explains that something called the "tel URL scheme is used to launch the Phone app on iOS devices and initiate dialing of the specified phone number."
The problem came to light when security researcher Ravi Borgaonkar suggested Google and Facebook may not have read the manual or perhaps ignored how the tel scheme works.
"I instantly assumed people do read documentation so there was no way a big player like Facebook, Twitter, Google, LinkedIn, ectera would make such a silly mistake ... but I was wrong," Borgaonkar wrote.
"While I only tested on a few apps which are big names, it is safe to assume that the smaller teams and platform haven't even thought about preventing this."
Borgaonkar has posted a demo of the flaw working its evil magic on Facebook here (GIF).
Independent security bod Guillaume Ross (@gepeto42) said Apple added a warning that a Facetime call was about to be made not in the application itself, but in its Safari web browser, meaning other third party browsers and apps could still be exposed to issuing silent Facetime phone calls.
Ross reported the risk to developers of the small One Password browser who promptly fixed the flaw, but Google said it was not a Chrome problem and suggested Apple should fix it within Facetime.
Pranksters could also overwrite text files on a user's iCloud account by guessing a file's name (such as important.txt or notes.txt) and crafting a website that used the byword iOS scheme.
Ross found similar issues in Twitter (or any app that uses UIWebview or Webkit) that he could exploit to force users to follow accounts, a feat that could tie users to their anonymous Twitter profiles.
"If you want to know who a real Twitter user is, just send them a link that has an inline frame [and] as soon as they click on the link the call is established and you know who he is," Ross said. "If you need to know someone's phone number, it's really useful."
The first of these iOS coding issues was discovered by researcher Nitesh Dhanjani in 2010 who found that Skype could be made to place calls from iframes without user intervention. ®