If you’re an iPhone user, you may want to be cautious about opening messages that contain phone numbers in the near future; they may cost you a lot of money. Developer Andrei Neculaesei notes that maliciously coded links in some apps will abuse the “tel” web handler to automatically make a phone call the moment you view a message. Potentially, an evildoer could force you to call an expensive toll number before you’ve had a chance to hang up. The exploit isn’t limited to any one app or developer, either. Facebook Messenger, Gmail and Google+ all fall prey to the attack, and it’s likely that other, less recognizable apps exhibit similar behavior. Apple’s Safari browser will ask you before starting a call, but FaceTime’s behavior lets you pull a similar stunt.
A security precaution skipped in mobile applications such as Facebook’s Messenger could be abused to make an expensive phone call at a victim’s expense, a developer contends. Phone numbers often appear as links on a mobile device. That is possible by using a Uniform Resource Identifier (URI) scheme called ”tel” to trigger a call. URI schemes are a large family of descriptions that can tell a computer where to go for a certain resource, such as launching a mail application when an email address is clicked. Andrei Neculaesei, a full-stack developer with the wireless streaming company Airtame in Copenhagen, contends there’s a risk in how most native mobile applications handle phone numbers. If a person clicks on a phone number within Apple’s mobile Safari browser, a pop-up asks if a person wants to proceed with a call. But many native mobile applications, including Facebook’s Messenger and Google’s +, will go ahead and make the call without asking, Neculaesei wrote on his blog. Mobile apps can be configured to display a warning, but on most applications it’s turned off, Neculaesei said via email on Thursday.
