A security researcher says Apple has made a poor security decision by allowing Safari to honor requests from third-party applications to perform actions such as making a phone call without warning a user, reports “Computerworld” (http://www.computerworld.com/s/article/9195578/iPhone_s_Safari_dials_calls_without_warning_says_security_expert?source=rss_news).
Safari, like other browsers, can launch other applications to handle certain URL protocols. These might be in clickable links, or in embedded iframes. An iframe containing a URL with a telephone number, for example, will cause Safari to ask if the user wants to make a phone call to that particular number, Nitesh Dhanjani, a security researcher, on the “SANS Application Security Street Fighter” blog (http://blogs.sans.org/appsecstreetfighter/2010/11/08/insecure-handling-url-schemes-apples-ios/). Users can tap a button to make or cancel the call.
However, “Computerworld” notes that Dhanjani found that behavior changes in some cases. For example, if a user has Skype installed and stays logged into the application, Safari doesn’t give an alert when it encounters a Skype URL in an iframe, and immediately starts a Skype call, he said.
“In this case, Safari throws no warning, and yanks the user into Skype which immediately initiates the call,” Dhanjani wrote. “The security implication of this is obvious, including the additional abuse case where a malicious site can make Skype.app call a Skype-id who can then uncloak the victim’s identity (by analyzing the victim’s Skype-id from the incoming call).”
Dhanjani told “Computerworld” he contacted Apple about the issue. The company said that third-party applications should be coded to ask permission before performing a transaction. But in the current arrangement, third-party applications can only ask for authorization after a person has been “yanked” out of Safari and the application has been fully launched, Dhanjani wrote.