Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malicious Websites Can Initiate Skype Calls On iOS

Posted by Soulskill on from the buck-passing dept.

An anonymous reader writes "In this article, security researcher Nitesh Dhanjani shows how iOS insecurely launches third-party apps via registered URL handlers. Malicious websites can abuse this to launch arbitrary applications, such as getting the Skype.app to make arbitrary phone calls without asking the user. Dhanjani 'contacted Apple's security team to discuss this behavior, and their stance is that the onus is on the third-party applications (such as Skype in this case) to ask the user for authorization before performing the transaction.' He also discusses what developers of iOS apps can do to design their software securely and what Apple can do to help out."

5 of 177 comments (clear)

  1. Re:3rd Party Responsibility? by MichaelKristopeit122 · · Score: 0, Troll
    i don't understand... if it's so clearly a problem with the app, then how come every post claiming this is a security flaw on apple's part is moderated +5 insightful?

    oh, right...

    slashdot = stagnated

  2. Re:Apple should handle but it's Skype's fault by MichaelKristopeit123 · · Score: 0, Troll
    i don't understand... if he doesn't know what he's talking about, then why is he moderated +5 insightful?

    oh right...

    slashdot = stagnated

  3. Re:Once again proving... by MichaelKristopeit172 · · Score: 0, Troll

    I would rather have a pathetic:MichaelKristopeit link always reply "Yes, pathetic".

  4. Re:Once again proving... by MichaelKristopeit172 · · Score: 0, Troll

    "MichaelKristopeit118" is operated by an individual attempting to steal the identity of "MichaelKristopeit162".

    you're pathetically predictable.

  5. Re:3rd Party Responsibility? by BasilBrush · · Score: 0, Troll

    Then, in the next iOS update (or the one after, if the next update is scheduled to be too soon) there will suddenly be a prompt for launching applications via registered URL handlers, possibly with some hype about how Apple is looking out for you, but not necessarily.

    No they won't. Confirmation dialogs as a matter of course is the Windows Vista way. It's not the Apple way. They may at some time provide a facility for app developers to opt to have a confirmation dialog before leaving Safari, for operations which have security implications.

    Meanwhile, the Apple answer is absolutely correct. The onus is on App developers to decide on the security implications of acting on any URL types they define. And to decide for themselves what user interaction should be required.