Malicious Websites Can Initiate Skype Calls On iOS

Posted by Soulskill on Monday November 8, 2010 @01:02PM from the buck-passing dept.

An anonymous reader writes "In this article, security researcher Nitesh Dhanjani shows how iOS insecurely launches third-party apps via registered URL handlers. Malicious websites can abuse this to launch arbitrary applications, such as getting the Skype.app to make arbitrary phone calls without asking the user. Dhanjani 'contacted Apple's security team to discuss this behavior, and their stance is that the onus is on the third-party applications (such as Skype in this case) to ask the user for authorization before performing the transaction.' He also discusses what developers of iOS apps can do to design their software securely and what Apple can do to help out."

2 of 177 comments (clear)

Min score:

Reason:

Sort:

Is this *really* only an Apple bug?? by bradgoodman · 2010-11-08 13:32 · Score: 5, Insightful

As an iOS developer - I kind of agree with Apple. I write apps which register URL handlers - and when one clicks on on - I make the *user* validate that this is what they really want to do. The same kind of exploits could be done on PCs - if you had a URL handler - like "SSH" which blindly allowed a third-party URL-click to launch SSH on your PC and log into a site - or even to do the same thing with *skype* URLs. Has anyone verified if these kind of behaviors would or would not happen on a PC or Linux machine?
This just in by blueg3 · 2010-11-08 14:14 · Score: 5, Insightful

URL handlers handle URLs. Geeks are shocked.