A bug in the iOS WebView component allows an attacker to force someone's iPhone to dial any number, while also locking the user's interface for a few moments, preventing him to cancel the outgoing call.
...
The iOS WebView component is a stripped down browser that developers integrate with their apps to provide an in-app web page viewing component.
Twitter, LinkedIn, Facebook, or Pocket, use this component to open links inside their iOS apps, without opening an external browser such as Safari, Firefox, or Chrome.
...
The issue is in how the WebView component (mis)handles telephone links (TEL URIs such as tel:< phone number >) embedded in web pages.
If the user clicks on the link, in WebView, the phone automatically dials the number. If the attacker redirects the user to a page that uses a meta-refresh tag to reload the page with a new URL, of the number he wants to dial, the phone automatically dials the phone number, even if the user clicked on a seemingly innocent link.
In Safari, where Apple fixed the issue, the browser asks the user via a popup if he wants to call the number.
Despite the auto-dialing behavior, Mulliner says that users can still cancel these calls. The bad news is that an attacker could use repeated page refreshes, to force the user's WebView component to spawn additional components.
This is possible thanks to URI binding, the practice of automatically opening specific links with predetermined apps, such as the default SMS app for SMS: URLs or iTunes via the itms-apps: URL.
Opening multiple apps in a short time, while also initiating a call, freezes the user's iPhone UI, and he can't cancel the call.
Full story and videos : iOS WebView Bug Can Force iPhones to Make Calls While UI Freezes
...
The iOS WebView component is a stripped down browser that developers integrate with their apps to provide an in-app web page viewing component.
Twitter, LinkedIn, Facebook, or Pocket, use this component to open links inside their iOS apps, without opening an external browser such as Safari, Firefox, or Chrome.
...
The issue is in how the WebView component (mis)handles telephone links (TEL URIs such as tel:< phone number >) embedded in web pages.
If the user clicks on the link, in WebView, the phone automatically dials the number. If the attacker redirects the user to a page that uses a meta-refresh tag to reload the page with a new URL, of the number he wants to dial, the phone automatically dials the phone number, even if the user clicked on a seemingly innocent link.
In Safari, where Apple fixed the issue, the browser asks the user via a popup if he wants to call the number.
Despite the auto-dialing behavior, Mulliner says that users can still cancel these calls. The bad news is that an attacker could use repeated page refreshes, to force the user's WebView component to spawn additional components.
This is possible thanks to URI binding, the practice of automatically opening specific links with predetermined apps, such as the default SMS app for SMS: URLs or iTunes via the itms-apps: URL.
Opening multiple apps in a short time, while also initiating a call, freezes the user's iPhone UI, and he can't cancel the call.
Full story and videos : iOS WebView Bug Can Force iPhones to Make Calls While UI Freezes
