Apple’s iPhone has a built in function that allows users to dial numbers from within its Safari web browser; a neat little function, yes, until a flaw leaves your phone open to attackers, allowing them to steal your minutes and possibly your money.

The flaw was recently discovered by Security research firm, SPI Labs, that allows Safari’s access to the iPhone’s functions to be exploited by attackers to perform various attacks such as tracking a users phone calls, placing calls from the victims phone without knowledge, redirecting calls placed by the user, preventing the phone from dialing, and even locking the iPhone up by putting it into an infinite loop of attempting calls.

SPI Labs warns on its blog:

 ”these types of attacks can be launched from a malicious website, from a legitimate website that has Cross-Site Scripting vulnerabilities, or as part of a payload of a web application worm.”

An attacker could potentially steal money from iPhone owners by forcing their phone to dial 900 numbers that are owned by the assailant. SPI Labs notes that users could also get blackmailed into dialing a 900 to prevent other people from knowing about an embarrassing phone call.

SPI Labs contacted Apple on July 6 and have been working with them ever since to resolve the problem.

SPI Labs recognizes the unique urgency of these issues and the large number of people that could be affected. As such, SPI Labs recommends that iPhone users do not use the built-in Safari browser to dial telephone numbers until Apple resolves these issues.

There have currently been no reports of users’ iPhones being hacked, but now the information has been made public, it surely won’t be long.

Related:

Entry was posted on Tuesday, July 17th, 2007 at 3:05 pm under Uncategorized.

Read more entries by George Gardner.
Stumble It!