iOS WebView Bug Can Force iPhones To Make Calls While UI Freezes

An anonymous reader writes: "A bug in the iOS WebView component allows an attacker to force someone's iPhone to dial any number, while also locking the user's interface for a few moments, preventing him to cancel the outgoing call," reports BleepingComputer. "The bug was at the heart of the recent accidental DDoS of 911 call centers across the U.S." At the heart of the issue is a Safari bug reported in 2008, which was fixed in iOS 3.0. The same bug also exists in the WebView component used by app makers to show web pages inside other apps. The researcher that found the bug writes in a blog post: "If you think automatically dialing a phone number after clicking a link in an app is not a big issue think again. DoSing 911 is pretty terrible but there are other examples such as expensive 900 numbers where the attacker can actually make money. A stalker can make his victim dial his phone number so he gets his victim's number. Altogether things you don't want to happen. [...] Apple should change the default behavior of WebViews to exclude execution of TEL URIs and make it an explicit feature to avoid this kind of issues in the future."

Here it comes

[blindseer]

Let the Apple bashing begin in 3... 2... 1...

Re:Here it comes

... ... nothing happens.

Re:Here it comes

[Goose+In+Orbit]

Tried dialing that ... it was engaged ...

Re:Here it comes

OH No. Not the apple bashers. Thank you so much for the warning..

Re:Here it comes

Yes, because Android bashing never ever happens, right?

Re:Here it comes

[Maritz]

That's the sad part of being biased. Android and Apple, and Samsung can and do all get "bashed", but it's the people who for some reason feel the need to pick a 'team' like this is a sport or something that feel all this unfair bias against them. Why does people slagging off Apple distress you? You work there or something?

Re:Solution

[K.+S.+Kyosuke]

I'm pretty sure the buggy software is being made in America, not in China.

Re:Solution

[110010001000]

I'll bet it was written by immigrants! We need to build a wall around Apple HQ to keep them out and make America great again!

Re:TRUMP TRUMP TRUMP

[Joe_Dragon]

yes do to that teenager is going to federal POUND ME IN THE ASS prison.

Re:Solution

[Yvan256]

I'm pretty sure the buggy software is being made in California, not in America.

At least that's what Apple keeps writing on their packaging.

UIWebView vs WKWebView

[infernalC]

There is no library class WebView. Is this bug in UIWebView, WKWebView, or both? It'd be nice if TFA would say.

Re:UIWebView vs WKWebView

[GabeGhearing]

This isn't a bug in Safari or UIWebview, which both handle TEL: links with a popup.

With WKWebView, Apple no longer provides any default support for TEL: links so people have to write their own. Seems Twitter and LinkedIn are being lazy/reckless and just immediately dialing any tel: link they see...

So it's true

[JustAnotherOldGuy]

"A bug in the iOS WebView component allows an attacker to force someone's iPhone to dial any number,"

iOS and Safari and vulnerabilities- they just work!

Altogether NOW!

We all live in a yellow submarine
A yellow submarine
A yellow submarine

Ain't a word!

No problem...

I'll just pull the battery out of my phone.

Oh...

batteries

no worries, you can just pull your battery out and... oh, never mind.