Advertisers Already Using New iPhone Text Message Exploit

Andy Smith writes: The annoying App Store redirect issue has blighted iPhone users for years, but now there's a new annoyance and it's already being exploited: Visit a web page on your iPhone and any advertiser can automatically open your messages app and create a new text message with the recipient and message already filled in. We can only hope they don't figure out how to automatically send the message, although you can bet they're trying.

Not clicking that

Visit a web page on your iPhone and any advertiser can automatically open your messages app

You'll forgive me if I dont click that

Re:Not clicking that

[Technician]

It's ok to visit and read the article, but use a PC, not an Apple product. May I recommend Firefox on Linux?

Re:Not clicking that

[hyperar]

It's ok to visit and read the article, but use a PC, not an Apple product. May I recommend Firefox on Linux?

Firefox?

See

[Greyfox]

It's shit like that that drives people to adblock. And also to class action lawsuits.

Re:See

[jellomizer]

Exactly, Adblocking for the most part isn't about trying to stop advertising that helps pay for the operation of the website, but to stop abusive add companies that attempt to turn your full device into an advertising media. Especially when it gets past the site you are viewing, then the add revenue doesn't go to the web-site but only to the advertising company, thus creating a no benefit business model.

Re:See

I do not currently and do not expect to ever have a personal opposition to advertisements hosted on the same server as the page I am viewing and inserted by server-side script.

So long as the advertisements are handled by a third party client-side script, page owners can claim ignorance of what is being advertised through their page. This willful refusal to asses their own contribution to the spread of malicious software is why I have no doubts about my decision to use ad blockers and a nice big host file.

Re:See

[fustakrakich]

I do not currently and do not expect to ever have a personal opposition to advertisements hosted on the same server as the page I am viewing and inserted by server-side script.

No, no scripts.. certainly not without asking permission to run. They can put up regular old HTML static pictures and text in the main page.

The only safe browser we will soon have is one that just views the page source without parsing it.

Re:See

[JustAnotherOldGuy]

Exactly, Adblocking for the most part isn't about trying to stop advertising that helps pay for the operation of the website, but to stop abusive add companies

Bingo. I'd be happy seeing a reasonable number of non-intrusive ads on a page, but that's not the problem here.

I run AdBlock specifically to try and avoid the malware-laden ads and auto-playing ads with sounds. I have no problem with text ads whatsoever, but when ads cross the line and infect my PC or blare sound unrequested, that's it.

The advertisers have really brought this on themselves for the most part. Not 100% of the blame, but ~95% of the blame is on them.

I say 95% because I realize it's hard to vet every ad, especially those with flash, but that's not my problem- it's their problem and if they can't get a grip on it then they completely lose my eyeballs.

Really, I don't mind a reasonable number of benign ads, but infecting my PC isn't something I'm willing to agree to.

Re:See

Server-side scripting is just a fancy way of saying "static HTML generated by the server and sent to your client as-is". It's not a script you have to run, as that would be client-side scripting (a.k.a. Javascript).

For all practical intents and purposes, "server-side scripting" produces static HTML. (The only reason there's a distinction at all is because of page caching.)

Re:See

[Grishnakh]

Do you not understand what server-side scripting is?

Hint: it's different from client-side scripting. And turning off JavaScript in your browser has no effect on it.

Re:See

[Grishnakh]

Maybe, but I don't really see the problem here. This is the price you pay for using Apple products. You can't even install a different browser like Firefox on Apple's iCrap devices because they won't allow anything that doesn't use their own WebKit renderer, so everything is going to be stuck with whatever vulnerabilities that the regular Apple browser has.

Android has its issues to be sure, but at least you're allowed to install whatever browser you want on an Android device. So if the built-in one sucks, just install Firefox.

Re:See

[amicusNYCL]

Note that advertisement, advertiser, advertising, etc each have 1 letter D. "Add" is a mathematics term.

Re:See

[ripvlan]

Yes - right on.

I've noticed that many websites that link from FB in the mobile app are overtaken by the ads they serve. I tried reading a newsy item and each time the site came up briefly before auto-forwarding to some spamy ad site instead. Pressing the Back button didn't work - the original site was unusable.

These bad-ads are affecting "legitimate" content sites.

I haven't seen this behavior in mobile Chrome. But whatever browser FB uses isn't all that secure. I've wondered how much extra tracking happen in that browser? (e.g. where do I clear my cookies?)

Re:See

[Technician]

I find sometimes it is best to make it blow up to get it fixed.

Sometimes a bug is managed and annoys a lot of people.

Remember the fake PC support scam from a year ago? The calls have pretty much stopped once it became game on to call them and abuse them in a virtual PC and post the results online.

If this remains unfixed, there should be some way to bait it to overload the workers responding and never sending money.

How many users can a gambling website support who have no credit cards? Join and try to get technical support because your ficticious credit card isn't working. Overload them, then it will get fixed.

Re:See

[Cro+Magnon]

I agree. They need to subtract the extra letter.

Re:See

[Fnord666]

The advertisers have really brought this on themselves for the most part. Not 100% of the blame, but ~95% of the blame is on them.

Yep, it's that miscreant 95% that give the other 5% a bad name!

Sometimes it's good to wear tin foil?

[s.petry]

I know I'm an odd ball, cynical, and critical. As proof, I use my phone as a Phone and iPod. I didn't like Palm Pilots either, for some of the same reasons. The screen is too small, the keyboard sucks ass, and it's too slow. Phones added a new dimension though.. which is whether or not I trust a network my phone connects to that I can't see or audit.

You can do what ever you want on your phone in my opinion. The vendor should be responsible for teaching people risks, but risks are then up to the consumer. Want to play games, brows the web, use custom Social media apps all on a mobile device? Good for you. I don't, and won't, and am pretty happy with my decisions.

Re:Sometimes it's good to wear tin foil?

[spire3661]

Yep. Its not my 'phone', its my pocket computer and is an extension of my secured network. No your kid cant play games on my pocket computer.

Re:Sometimes it's good to wear tin foil?

[Grishnakh]

Yes, the on-screen keyboards on phones are a pain to type on. However, it's better than nothing at all, or in many cases trying to lug around a laptop. That's why many of us use them.

I guess if you never leave your parents' basement, then you might not see the use in a handheld mobile communication device with internet access.

Seems illegal

Let's fine them $100k per infraction

Hey, they paid a lot for that feature!

It's not an "exploit"!

You've been "productized" and then "monetized".

Computer fraud ...

[gstoddart]

So when will we start holding ad agencies accountable for what is basically hacking?

This is precisely why I will never have any qualms about blocking every damned ad site I can possibly identify ... because they're all ran by assholes who feel entitled to do anything they wish.

They're untrustworthy, and willing to do anything for a buck. Which means we should be blocking the hell out of this shit.

Boo hoo to anybody who says they need the ad revenue ... unless you plan on being accountable for this shit done by your advertisers, stop expecting us to trust them or you.

Re:Computer fraud ...

[lesincompetent]

I didn't read TFA but i think these advertisers are using a feature.
Am i wrong?

Re:Computer fraud ...

You assume these ad agencies are reputable businesses that aren't fly by night shells (all the way down) designed to do nothing but fleece their clients and remorselessly annoy their targets.

Selling ads online is really about dividing saps from their money as quickly as possible

Re:Computer fraud ...

[The+MAZZTer]

I am reading your comment's parent to mean that, if people are charged with "hacking" for doing much less, why not these ad agencies?

Re:Computer fraud ...

[MyAlternateID]

I am reading your comment's parent to mean that, if people are charged with "hacking" for doing much less, why not these ad agencies?

The main reason? The ad agencies are corporations with plenty of lawyers. It takes far less time and resources to prosecute a private individual. Additionally, the private individual has little or no PR capability to make the state look like bad guys for doing so (that part would come naturally to an ad agency).

Apple should remove apps that adds point to.

[jellomizer]

Or they can just give us an option to disable Safari from doing anything other than web browsing.

Re:Apple should remove apps that adds point to.

[sims+2]

You can actually turn off javascript in safari.

Settings > Safari > Advanced > JavaScript

Breaks a lot fixes a lot.

Pretty much eliminates browser crashes tho.

Re:Apple should remove apps that adds point to.

[cfalcon]

Still frustrating to not have access to noscript. I want scripts on my bank. I want scripts on some web forums that I trust. I don't want scripts in general.

Why does this API exist?

[ZorinLynx]

Why is there an API for sending a text message from a web page? Why does this need to exist at all?

You'd think someone at Apple, when they came up for this idea for this, would be shot down by someone else saying "Sorry dude, this is a feature that can be abused."

Same deal with javascript being able to open the App Store. WHY??

Re:Why does this API exist?

[gstoddart]

The most likely thing is so that web-pages can have links to their app.

I agree it's idiotic and open for abuse.

I want my browser locked down in a sandbox and largely precluded from interacting with the rest of the OS, but apparently they don't make those.

Why do we keep trusting the web? Because time and time again it proves to be anything but trustworthy.

Re:Why does this API exist?

[cdrudge]

Why is there an API for sending a text message from a web page? Why does this need to exist at all?

You'd think someone at Apple, when they came up for this idea for this, would be shot down by someone else saying "Sorry dude, this is a feature that can be abused."

It wasn't shot down when mailto: was included in the HTML spec. As long as the API doesn't allow you to actually send it without further consent, how is it any different than every other app's "Send to Facebook|Twitter|Email|Whatever" functionality?

Re:Why does this API exist?

[idji]

this is probably just using IPhone URL Schema to make an sms: URL, just like a mailto: URL, and no I don't think they can click send - that can only be done within the message app.

Re:Why does this API exist?

[sims+2]

Someone definitely should have said no to the text api I can't think of any good reason to have one.

A clickable link for app store apps was a good idea.
But they fked up when they allowed scripts to open it.

Why do almost none of the 3rd party browsers allow you to switch off javascript? You can turn it off in safari why not the others? Is it really that complicated to not run javascript?

Re:Why does this API exist?

[tlhIngan]

Why is there an API for sending a text message from a web page? Why does this need to exist at all?

You'd think someone at Apple, when they came up for this idea for this, would be shot down by someone else saying "Sorry dude, this is a feature that can be abused."

Same deal with javascript being able to open the App Store. WHY??

JavaScript can't open the App Store. What it can do is open a link to iTunes. What happens here is if you click a link that points to iTunes (iTunes Preview), on the desktop, it goes to a page that shows you the target, followed by a button that says "Open in iTunes" at which point iTunes is supposed to open and go to the app/music/movie/tv page of that item.

On iOS, if you do the same, instead of iTunes opening, it goes to the appropriate store that sellsthe item. This is a regular feature and it's the same on iOS or Android. If you click on the "Apple App Store" button or the "Get it on Google Play", same result - it takes you to that product page in the appropriate store. Both are basically links that get treated specially.

Likewise, it's possible to do text messaging - iOS has the ability to recognize phone numbers on webpages, and if you tap them, gets you the ability to send a text or phone that number. (Sometimes its heuristics mess up in humorous ways).

That's by design.

However, iOS does not allow anyone to send a text, make a phone call, send an email or other things without manual intervention. Siri can do it, but only after Siri composes it for you. Again, this is for safety purposes - apps cannot programmatically run up your phone bill. So at worst, you have an app switch out to Messages or Mail or the App Store on you. But at that point, you must tap "Purchase" or "Send" to actually perform the task. (a webpage can't do it because that point, the other app is onscreen)

I wouldn't call this a new phenomena ... I have seen ads do this for years - especially on mobile ones where they pop up a full screen interstitial that advertises some freemuim game and the javascript calls open() on it which triggers the app store.

It's really a form of advertising that's existed on desktops for years exploiting the new mobile technology, except instead of switching between apps, it's triggering plugins.

Heck, the email one is really a lot like mailto: URLs that can fill in the To, Subject and body of a message, and wait for you to click Send.

Re:Why does this API exist?

[geekmux]

WHY you ask?

Perhaps it was Lone Starr who said it best when exclaiming, "We're not just doing it for money...We're doing it for a shitload of money!"

Re:Why does this API exist?

[Spaham]

it's a BUG, dude...

Re:Why does this API exist?

[Actually,+I+do+RTFA]

Same deal with javascript being able to open the App Store. WHY??

Well, I have an app in both the app store and the play store. So, when i talk about it, I use a URL that checks which os is hitting it, and redirects to the appropriate store. Great for tweeting, cards (next to the QR codes for each store), etc.

Re:Why does this API exist?

[CCarrot]

Why is there an API for sending a text message from a web page? Why does this need to exist at all?

You'd think someone at Apple, when they came up for this idea for this, would be shot down by someone else saying "Sorry dude, this is a feature that can be abused."

It wasn't shot down when mailto: was included in the HTML spec. As long as the API doesn't allow you to actually send it without further consent, how is it any different than every other app's "Send to Facebook|Twitter|Email|Whatever" functionality?

The difference is money.

For many people, there is a cost per message (over some monthly limit) to send/receive texts, and 'subscription' texts (as the ad in the article was apparently trying to set up through this sketchy exploit) charge the user above and beyond the carrier costs. Posting to FB or Twitter doesn't carry any significant cost rider (just loss of dignity, but that's going cheap nowadays), unless the payload is big enough to impact data costs. Even emails are not individually metered like text messages, although I suppose there the data costs could potentially be higher depending on attachments.

This is even worse than those scammy mailers for credit cards, the ones that 'helpfully' pre-fill the application form out with as much of your personal info as they have access to. At least for those you have to make an effort to fill in the remaining fields and physically mail the application form: here you just have to accidentally hit the 'send' button instead of the 'cancel' button (easy to do, esp. if you're used to Android) in order to give them 'permission' to charge you, not only once but multiple times. Also, you can bet that your phone number is now on as many robot scam-dialer databases as possible...there's just no way the user wins in this scenario.

Re:Why does this API exist?

[Ronin+Developer]

However, there is no cost if you don't hit "Send". You have the option to cancel the text just as we have done for years with mailto: links.

Now, if they figure out how to actually send the text without consent, that's another game altogether.

Re:Why does this API exist?

[BronsCon]

As long as the API doesn't allow you to actually send it...

the difference ceases to be money.

Re:Why does this API exist?

[CCarrot]

However, there is no cost if you don't hit "Send". You have the option to cancel the text just as we have done for years with mailto: links.

Now, if they figure out how to actually send the text without consent, that's another game altogether.

If you accidentally hit 'Send' on a mailto link, there are no monetary consequences either, unless there's a whack of data attached to the email. If you do on the text, you're unwittingly establishing a monetary contract to pay some asshat real dollars on a regular basis. I have also heard that once 'subscribed' to these jerks, it can be hellish to get them to 'unsubscribe' you.

They're banking on the fact that the user a) is a fumble-fingered idiot like me, or b) isn't technically savvy enough to know how to cancel the text, like my parents, grandparents or the 5yo playing with moms phone in the grocery store. Actually, strike that, the 5yo would probably know how to cancel a text better than me, but they wouldn't necessarily understand why they should cancel instead of hitting send.

In a similar vein, those scam 'your windows computer has a virus' phone calls are often hilarious diversions to people who know better, but there must be a percentage of people who don't otherwise they'd die off for lack of funds/results. IMO this is in roughly the same category of sleaze.

This means war!!

Well, not a real war. I mean, it's just the Internet, so like a hacker war or something. And I'm probably not going to do anything about it. Don't know anything about hacking, personally But I'm sure someone somewhere out there will take up the torch! I just need a catchy hashtaggy thingy, and I guess I'd have to make a Twitter account? Wow, that sounds like a lot of work for a war. Uh, I guess someone else who already uses Twitter would have to do that part.

Anyway, I've done my part. It's now up to you, random outraged people of the Internet! Focus your anger and hatred into something positive and wage unholy war on these adver--what's that? 50% off penis enlargements and porn? HOW DO I HIT SEND FASTER!? AWAY!!

mailto:

[Aaden42]

How is this different than a mailto: link which can populate the subject, body, etc. but not actually send it until you tap send?

Re:mailto:

[clonehappy]

It's not.

Just like every meatspace annoyance turned into public hyperventilation when translated into computer annoyances, now every regular computer annoyance means public hyperventilation when translated into mobile annoyances.

Even for slashdot, calling this an "exploit" is a fucking stretch. But oh yeah, fuck Apple or something...

Re:mailto:

[Cinnamon+Beige]

How is this different than a mailto: link which can populate the subject, body, etc. but not actually send it until you tap send?

While I don't use iJunk, my guess is that it's not set up to be one transparently and/or intentionally in the coding--so, it's basically a case where intent made the difference between a useful feature and a security hole.

"Ads hard to find because changed after approval"

[JoeyRox]

In that case we'll all continue to run ad blockers until you guys are able to figure out which ads are good and which are bad. This fiasco should serve as motivation for the ad industry to start aggressively self-regulating, including funding action against rule breakers. They'll be the death of your industry if you allow them to continue.

This Isn't Just on iPhone

[asimons04]

Using the SMS URL scheme in Chrome on Android does the exact same thing. If any webpage has a link or uses Javascript to simulate a click to an SMS URL, it will bring up your default messaging app with a pre-populated phone number and optional message.

[a href="sms:+18005551234?body=hello%20there"]SMS Me[/a]

Like iOS, this does not automatically send the message. I don't know why this is not reported as being just a feature of modern browsers like the old mailto: tag. This is a feature, not an exploit. Whether or not it should even be a feature in the first place is another argument altogether.

Easy solution.... pull the app....

[CraigCruden]

If an ad is caught doing this the app gets pulled from the app store. Makes the advertising useless.

Re:Easy solution.... pull the app....

[cfalcon]

Really? I found several webpages that spam opened the app store when visited, to whatever was being promoted. Way too often for it to be a fully bannable offense. I bet the developer just has to be like "ohh noooo i had no ideaaaaaa" and all is well.

Where would I report abuse like this anyway?

Block them ads!

[cfalcon]

Yet another great reason to block all ads under all circumstances. You control what displays on your property, not some remote server! Give them a pixel, they'll take root if they can.

Not "new"...

[m2pc]

Apple has supported the "sms:" URL scheme on iOS for years now. Here's a site with a how-to from 2013.