Users of Apple's iPhone are being advised to avoid automatically dialling numbers from web pages after a researcher outlined possible security flaws.
The vulnerability lies within the iPhone's ability to automatically dial numbers listed on web pages via the Safari browser.
SPI Labs lead researcher Billy Hoffman warned in a company blog that malicious code could be disguised as phone links and used to run up service charges or render the iPhone useless.
Other possible implications of the vulnerability include cross-site scripting attacks, tracking a user's phone activity or causing a denial-of-service attack.
Hoffman said that the issue has been reported to Apple, and advised users to avoid following phone links in Safari until the company can issue a fix.
Other experts downplayed the risk, however. Paul Moriarty, director of internet content security at Trend Micro, said that similar avenues for attack have been found in other smartphones, and there is normally little danger to users.
"If you want to get a headline, maybe, but you are not going to make a whole lot of money," he said.
Moriarty explained that duping users into dialling premium numbers is not a solid business plan, given the policies of many service providers.
"If I call AT &T and dispute [the charges] the chances are they are going to erase it and hit the other company back for the money," he said.
"It strikes me as a much less convenient way to make money if I already have the skills to go out and conquer PCs."
Moriarty pointed out that there are only a million or so iPhones out there to exploit, but hundreds of millions of poorly maintained PCs with unpatched vulnerabilities ripe for attack.
iPhone dialler labelled security risk
By
Shaun Nichols
on Jul 19, 2007 7:45AM
.jpg&q=95&h=298&w=480&c=1&s=1)
