Gone are the days when everyone – wrongly – believed that Apple’s devices, such as iPhones, iPads and Macs, simply weren’t susceptible to malware or malicious remote interference from unscrupulous individuals.

Granted, malware and software designed to take data from an iPhone is less common on iOS than it is on competing platforms, but the important thing to note is that it does exist, and so do bugs in Apple’s iOS platform. One such bug allows a user to tap on a link that will then force the device to call a pre-defined telephone number, such as 911, repeatedly.

ios-dialer-bug

Rather than being a piece a remote code built into apps that is then remotely executed, this is more of a bug in the actual iOS platform that can be invoked by using a purposely designed URL or link.

It can be thought of in a similar fashion to the text messaging bug that crashed Apple’s devices and forced them into a boot loop when a very unique string of characters was received as part of a conversation. Tapping on this shared link, either via social media like Facebook or Twitter, or received via text message or WhatsApp, forces the iPhone’s user interface to lock up, and the Phone app to make a call.

The fact that it locks up means that the user simply finds it almost impossible to stop or prevent the call from happening. This has been a particularly irritating issue in Arizona after a man was arrested for invoking more than 100 calls to his local 911 contact center in less than a minute. If this link was freely distributed via social media, with the pre-defined telephone number pointing directly to the emergency services in that local area, you can immediately get an understanding of how dangerous it could actually be.

The interesting thing here is that Apple actually already knows about this bug, which dates all the way back to iPhone OS 3. Yes, iOS was called iPhone OS back in the day. The Cupertino-based company had actually fixed the issue via Mobile Safari, but it has now become clear that it still exists in the WebView baked into apps like Facebook, Twitter, LinkedIn etc., and can still be executed.

Collin Mulliner, the researcher who discovered the bug in its latest form, has reported the issue to Apple in the hope that it will be patched sooner rather than later in a software update to iOS. Interestingly, he has also followed the up with videos demoing just how the bug actually works. The two videos can be seen embedded below.

(iOS WebView auto-dialer bug in Twitter app)

(iOS WebView auto-dialer bug in LinkedIn app)

(Source: Collin Mulliner)

You may also like to check out:

You can follow us on Twitter, add us to your circle on Google+ or like our Facebook page to keep yourself updated on all the latest from Microsoft, Google, Apple and the Web.

Related Stories