Facebook’s already controversial Messenger app is making headlines again with a security flaw on iOS devices that could lead to iPhone users being charged for expensive, unwanted phone calls.
iOS native applications like Mail and FaceTime handle phone numbers using codes called the “tel URL scheme.” In this scheme, the number is dialed immediately after clicking on the link. The user is never asked to confirm.
However, unlike native apps, mobile apps like Facebook Messenger and Google+ are supposed to have the user confirm whether they want to dial a number or not; however, this setting is often turned off, as with Facebook Messenger.
A malicious phone number sent to a user, in combination with a JavaScript code that automatically “opens” the number from within Messenger, could automatically dial a premium-rate number, which the hacker then receives revenue from.
Facebook will be patching the flaw in the near future.
Guillaume K. Ross, an information security consultant in Montreal, presented the flaw at during a talk at BSidesLV 2014.