Alert: Don't use iPhone Web dialer

[lilo]

Quote:

Attackers could exploit a bug in this feature to trick a victim into making phone calls to expensive "900" numbers or even keep track of phone calls made by the victim over the Web, said Billy Hoffman, lead researcher with SPI Labs. The iPhone could even be stopped from dialing out, or set to dial out endlessly, he said.

"Because this vulnerability can be launched from Web sites, everybody who has an iPhone has the potential to get exploited," Hoffman said .

Details here: http://www.infoworld.com/article/07/07/16/Security-firm-says-to-not-use-iphone-Web-dialer_1.html

 

[Silverado]

I think the article goes WAY too far in recommending that we don't use the feature at all. The phone always asks you to confirm that you want to dial the number before dialing. The recommendation should be to review the number before confirming when using unknown sites.

 

[spacerog]

In order for the attack to work, the bad guys would have to either trick iPhone users into visiting a malicious Web site or make a legitimate Web site send untrustworthy information to the iPhone using what's known as a cross-site scripting attack.

SPI is not releasing detailed information on how the Web dialing feature could be exploited

Whatever, I'm not worried. Sounds like a pretty remote hole. I haven't even used this feature yet at all. I don't see how anything on a web page could prevent the phone dialing out. Worst case just reset the phone, that should fix it.

- SR