Twitter and LinkedIn iOS apps are vulnerable!

The security researcher Collin Mullinerhas discovered an exploitable vulnerability in Apple’s WebView that could allow phone calls to a number of the attacker’s choosing.

iOS WebViews can be used to automatically call an attacker controlled phone number. The attack can block the phone’s UI for a short amount of time and therefore prevent the victim from canceling the call. The bug is an application bug that likely is due to bad OS/framework defaults. One major issue with this vulnerability is that it is really easy to exploit. App developers have to fix their code as soon as possible.

Mulliner said the vulnerability is trivial to exploit, requiring at a minimum one line of HTML code and iOS developers who have embedded Apple’s WebView into mobile apps need to be aware.

https://www.youtube.com/watch?v=WuFx4lxF8DY

References

https://www.mulliner.org/blog/blosxom.cgi/security/ios_webview_auto_dialer.html