iOS developers who have embedded Apple’s WebView into mobile apps need to be aware of an exploitable issue that could allow phone calls to a number of the attacker’s choosing.
Researcher Collin Mulliner said the vulnerability is trivial to exploit, requiring at a minimum one line of HTML code. The risks to the user include ramped up charges to premium numbers, or worse, denial-of-service attacks similar to one last week that landed an Arizona man in jail for an exploit he shared on YouTube that allowed users to flood 911 call centers with calls just with one click.
Mulliner said that popular iOS apps such as Twitter and LinkedIn are vulnerable to attacks; the researcher said he also tested Facebook, WhatsApp, Snapchat and Yelp, and none of those apps were exposed. Mulliner cautioned, however, that looked at only ubiquitous iOS apps, and the potential for a much higher number of vulnerable apps is likely.
“There are tons of other messengers and so many other social media apps that and those could potentially be vulnerable,” Mulliner said. “Any app that has a WebView in their app where a URL can be loaded that the user can submit to the app is potentially vulnerable. It’s absolutely simple. Anybody can do this.”
Mulliner went public with his disclosure after a private notification to Twitter resulted first in a quick acknowledgment and then a terse note saying that this was a duplicate issue and the ticket was closed. He also tried to disclose to LinkedIn’s bug bounty, but learned it was a private program and that someone from its security team would investigate. Apple also acknowledged a report from Mulliner and said it would investigate as well.
To exploit the vulnerability, an attacker would merely need to send the victim a link that would redirect to a site hosting the attacker’s HTML code. The code would initiate a call via the dialer on the device, which is similar to a bug Mulliner reported in 2008 to Twitter. Mulliner said he could also keep the user from disconnecting the call by forcing a second app to the home screen that would overlay the dialer. In a report he published Wednesday, Mulliner said his old code still worked. One line of HTML will trigger the dialer, 10 lines will hide the attack, he said.
“I thought this was solved eight years ago. Apparently it is not,” Mulliner said. “You don’t need anything special. Any version of the iPhone with the Twitter or LinkedIn app will work; no special software, just the ability to host an HTML page.”
Mulliner explained in his report what he believes may be happening under the covers:
“My best guess on how this works is that the IPC subsystem actually has difficulties to move several kilobytes of URL data through the various layers into the app and the target app might also not be super happy about really large URLs. I ended-up with the code below. The code uses the combination of meta-refresh tag and window.location to execute the attack. The codes delays setting the window.location by 1.3 seconds to guarantee that the dialer is executed first. The delay cannot be too long otherwise the WebView will not execute the URL handler for launching the messages app. Basically you have to get the timing just right.”
Mulliner also shared demo videos of the attacks against the Twitter and LinkedIn apps below.