Advertisers Already Using New iPhone Text Message Exploit

Andy Smith writes: The annoying App Store redirect issue has blighted iPhone users for years, but now there's a new annoyance and it's already being exploited: Visit a web page on your iPhone and any advertiser can automatically open your messages app and create a new text message with the recipient and message already filled in. We can only hope they don't figure out how to automatically send the message, although you can bet they're trying.

Not clicking that

Visit a web page on your iPhone and any advertiser can automatically open your messages app

You'll forgive me if I dont click that

See

[Greyfox]

It's shit like that that drives people to adblock. And also to class action lawsuits.

Re:See

[jellomizer]

Exactly, Adblocking for the most part isn't about trying to stop advertising that helps pay for the operation of the website, but to stop abusive add companies that attempt to turn your full device into an advertising media. Especially when it gets past the site you are viewing, then the add revenue doesn't go to the web-site but only to the advertising company, thus creating a no benefit business model.

Re:See

I do not currently and do not expect to ever have a personal opposition to advertisements hosted on the same server as the page I am viewing and inserted by server-side script.

So long as the advertisements are handled by a third party client-side script, page owners can claim ignorance of what is being advertised through their page. This willful refusal to asses their own contribution to the spread of malicious software is why I have no doubts about my decision to use ad blockers and a nice big host file.

Re:See

[JustAnotherOldGuy]

Exactly, Adblocking for the most part isn't about trying to stop advertising that helps pay for the operation of the website, but to stop abusive add companies

Bingo. I'd be happy seeing a reasonable number of non-intrusive ads on a page, but that's not the problem here.

I run AdBlock specifically to try and avoid the malware-laden ads and auto-playing ads with sounds. I have no problem with text ads whatsoever, but when ads cross the line and infect my PC or blare sound unrequested, that's it.

The advertisers have really brought this on themselves for the most part. Not 100% of the blame, but ~95% of the blame is on them.

I say 95% because I realize it's hard to vet every ad, especially those with flash, but that's not my problem- it's their problem and if they can't get a grip on it then they completely lose my eyeballs.

Really, I don't mind a reasonable number of benign ads, but infecting my PC isn't something I'm willing to agree to.

Re:See

Server-side scripting is just a fancy way of saying "static HTML generated by the server and sent to your client as-is". It's not a script you have to run, as that would be client-side scripting (a.k.a. Javascript).

For all practical intents and purposes, "server-side scripting" produces static HTML. (The only reason there's a distinction at all is because of page caching.)

Re:See

[ripvlan]

Yes - right on.

I've noticed that many websites that link from FB in the mobile app are overtaken by the ads they serve. I tried reading a newsy item and each time the site came up briefly before auto-forwarding to some spamy ad site instead. Pressing the Back button didn't work - the original site was unusable.

These bad-ads are affecting "legitimate" content sites.

I haven't seen this behavior in mobile Chrome. But whatever browser FB uses isn't all that secure. I've wondered how much extra tracking happen in that browser? (e.g. where do I clear my cookies?)

Computer fraud ...

[gstoddart]

So when will we start holding ad agencies accountable for what is basically hacking?

This is precisely why I will never have any qualms about blocking every damned ad site I can possibly identify ... because they're all ran by assholes who feel entitled to do anything they wish.

They're untrustworthy, and willing to do anything for a buck. Which means we should be blocking the hell out of this shit.

Boo hoo to anybody who says they need the ad revenue ... unless you plan on being accountable for this shit done by your advertisers, stop expecting us to trust them or you.

Re:Computer fraud ...

[lesincompetent]

I didn't read TFA but i think these advertisers are using a feature.
Am i wrong?

Why does this API exist?

[ZorinLynx]

Why is there an API for sending a text message from a web page? Why does this need to exist at all?

You'd think someone at Apple, when they came up for this idea for this, would be shot down by someone else saying "Sorry dude, this is a feature that can be abused."

Same deal with javascript being able to open the App Store. WHY??

Re:Why does this API exist?

[cdrudge]

Why is there an API for sending a text message from a web page? Why does this need to exist at all?

You'd think someone at Apple, when they came up for this idea for this, would be shot down by someone else saying "Sorry dude, this is a feature that can be abused."

It wasn't shot down when mailto: was included in the HTML spec. As long as the API doesn't allow you to actually send it without further consent, how is it any different than every other app's "Send to Facebook|Twitter|Email|Whatever" functionality?

Re:Why does this API exist?

[tlhIngan]

Why is there an API for sending a text message from a web page? Why does this need to exist at all?

You'd think someone at Apple, when they came up for this idea for this, would be shot down by someone else saying "Sorry dude, this is a feature that can be abused."

Same deal with javascript being able to open the App Store. WHY??

JavaScript can't open the App Store. What it can do is open a link to iTunes. What happens here is if you click a link that points to iTunes (iTunes Preview), on the desktop, it goes to a page that shows you the target, followed by a button that says "Open in iTunes" at which point iTunes is supposed to open and go to the app/music/movie/tv page of that item.

On iOS, if you do the same, instead of iTunes opening, it goes to the appropriate store that sellsthe item. This is a regular feature and it's the same on iOS or Android. If you click on the "Apple App Store" button or the "Get it on Google Play", same result - it takes you to that product page in the appropriate store. Both are basically links that get treated specially.

Likewise, it's possible to do text messaging - iOS has the ability to recognize phone numbers on webpages, and if you tap them, gets you the ability to send a text or phone that number. (Sometimes its heuristics mess up in humorous ways).

That's by design.

However, iOS does not allow anyone to send a text, make a phone call, send an email or other things without manual intervention. Siri can do it, but only after Siri composes it for you. Again, this is for safety purposes - apps cannot programmatically run up your phone bill. So at worst, you have an app switch out to Messages or Mail or the App Store on you. But at that point, you must tap "Purchase" or "Send" to actually perform the task. (a webpage can't do it because that point, the other app is onscreen)

I wouldn't call this a new phenomena ... I have seen ads do this for years - especially on mobile ones where they pop up a full screen interstitial that advertises some freemuim game and the javascript calls open() on it which triggers the app store.

It's really a form of advertising that's existed on desktops for years exploiting the new mobile technology, except instead of switching between apps, it's triggering plugins.

Heck, the email one is really a lot like mailto: URLs that can fill in the To, Subject and body of a message, and wait for you to click Send.

Re:Why does this API exist?

[Ronin+Developer]

However, there is no cost if you don't hit "Send". You have the option to cancel the text just as we have done for years with mailto: links.

Now, if they figure out how to actually send the text without consent, that's another game altogether.

This means war!!

Well, not a real war. I mean, it's just the Internet, so like a hacker war or something. And I'm probably not going to do anything about it. Don't know anything about hacking, personally But I'm sure someone somewhere out there will take up the torch! I just need a catchy hashtaggy thingy, and I guess I'd have to make a Twitter account? Wow, that sounds like a lot of work for a war. Uh, I guess someone else who already uses Twitter would have to do that part.

Anyway, I've done my part. It's now up to you, random outraged people of the Internet! Focus your anger and hatred into something positive and wage unholy war on these adver--what's that? 50% off penis enlargements and porn? HOW DO I HIT SEND FASTER!? AWAY!!

mailto:

[Aaden42]

How is this different than a mailto: link which can populate the subject, body, etc. but not actually send it until you tap send?

Re:mailto:

[clonehappy]

It's not.

Just like every meatspace annoyance turned into public hyperventilation when translated into computer annoyances, now every regular computer annoyance means public hyperventilation when translated into mobile annoyances.

Even for slashdot, calling this an "exploit" is a fucking stretch. But oh yeah, fuck Apple or something...

This Isn't Just on iPhone

[asimons04]

Using the SMS URL scheme in Chrome on Android does the exact same thing. If any webpage has a link or uses Javascript to simulate a click to an SMS URL, it will bring up your default messaging app with a pre-populated phone number and optional message.

[a href="sms:+18005551234?body=hello%20there"]SMS Me[/a]

Like iOS, this does not automatically send the message. I don't know why this is not reported as being just a feature of modern browsers like the old mailto: tag. This is a feature, not an exploit. Whether or not it should even be a feature in the first place is another argument altogether.