Facebook’s already controversial Messenger app is making headlines again with a security flaw on iOS devices that could lead to iPhone users being charged for expensive, unwanted phone calls.
iOS native applications like Mail and FaceTime handle phone numbers using codes called the “tel URL scheme.” In this scheme, the number is dialed immediately after clicking on the link. The user is never asked to confirm.
However, unlike native apps, mobile apps like Facebook Messenger and Google+ are supposed to have the user confirm whether they want to dial a number or not; however, this setting is often turned off, as with Facebook Messenger.
Facebook will be patching the flaw in the near future.
Guillaume K. Ross, an information security consultant in Montreal, presented the flaw at during a talk at BSidesLV 2014.