iPhone’s Safari dials calls without warning, says security expert. A security researcher is asserting that Apple has made a poor security decision by allowing its Safari browser to honor requests from thirdparty applications to perform actions such as making a phone call without warning a user. Safari, like other browsers, can launch other applications to handle certain URL protocols. These might be in clickable links, or in embedded iframes. An iframe containing a URL with a telephone number, for example, will cause Safari to ask if the user wants to make a phone call to that particular number, wrote a security researcher, on the SANS Application Security Street Fighter blog.
Users can tap a button to make or cancel the call. But the researcher found that behavior changes in some cases. For example, if a user has Skype installed and stays logged into the application, Safari does not give an alert when it encounters a Skype URL in an iframe, and immediately starts a Skype call, he said. The researcher said he contacted Apple. The company said thirdparty applications should be coded to ask permission before performing a transaction. But in the current arrangement, third-party applications can only ask for authorization after a person has been “yanked” out of Safari and the application has been fully launched. “A solution to this issue is for Apple to allow third-party applications an option register their URL schemes with strings for Safari to prompt and authorize prior to launching the external application,” he wrote.
Source: http://www.computerworld.com/s/article/9195578/iPhone_s_Safari_dials_calls_withou t_warning_says_security_expert
No comments:
Post a Comment