HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

SPI Labs advises avoiding iPhone feature

The Apple iPhone’s Safari web browser has a special feature that allows the user to dial any phone number displayed on a web page simply by tapping the number. SPI Labs has discovered that this feature can be exploited by attackers to perform various attacks, including: 

  • Redirecting phone calls placed by the user to different phone numbers of the attacker’s choosing
  • Tracking phone calls placed by the user
  • Manipulating the phone to place a call without the user accepting the confirmation dialog
  • Placing the phone into an infinite loop of attempting calls, through which the only escape is to turn off the phone
  • Preventing the phone from dialing 

These types of attacks can be launched from a malicious website, from a legitimate website that has Cross-Site Scripting vulnerabilities, or as part of a payload of a web application worm. 

For example, an attacker could determine that a specific website visitor “Bob” has called an embarrassing number such as an escort service. An attacker can also trick or force Bob into dialing any other telephone number without his consent such a 900-number owned by the attacker or an international number. Finally, an attacker can lock Bob’s phone forcing Bob to either make the call or hard-reset his phone resulting in possible data loss. 

SPI Labs researchers reported these issues to Apple on July 6 and are working with Apple to remediate the problems. However, SPI Labs recognizes the unique urgency of these issues and the large number of people that could be affected. As such, SPI Labs recommends that iPhone users do not use the built-in Safari browser to dial telephone numbers until Apple resolves these issues.

Labels: iPhone| Safari| XSS
| ‎07-16-2007 06:28 PM
Don't Windows Mobile 5, Blackberries, and Treos also all allow you to click phone numbers in the browser? Or am I misremembering?
| ‎07-16-2007 07:34 PM

Security experts with Web application testing specialists SPI Dynamics say they have identified a flaw in the iPhone's browser tools that could be utilized by hackers to track a user's calls or prevent their device from dialing at all.

| ‎07-16-2007 10:04 PM
Could you please clarify: When the iPhone goes to the "Phone" page, does this attack cause the displayed number (at the top of the screen) to be incorrect?
| ‎07-17-2007 03:17 AM
This one is pretty silly, the same thing can be accomplished on most browsers with a simple Javascript alert() loop:

"Placing the phone into an infinite loop of attempting calls, through which the only escape is to turn off the phone"

while(1) alert("haha");


Also, you can "force quit" any iPhone app by holding down the home button for about 5 seconds.

I'd be interested to hear about the others though.
| ‎07-17-2007 07:54 AM

Security researchers at SPI Labs are warning iPhone users not to use a special feature that lets them

| ‎07-17-2007 09:33 AM
Hi Billy, built in browsers in nokia phones also provide similar functionality of calling a number from a web page. Does that mean that these phones are also suspectical to similar attacks?
| ‎07-17-2007 10:41 AM
I discovered this myself 2 days after the release of the iphone. Was even thinking of setting up a 900 number for iDummies.
Below is one variant

Iphone Autodial

function autoClick()
var dial=document.getElementById('dial');

| ‎07-17-2007 12:55 PM

Alas, this hole is likely due to the compartmentalized development that Apple did to maintain secrecy. One hand only had partial knowledge of the other. No wonder Leopard was delayed so they could finish the iPhone. How unfortunate.

Let's hope Apple has a security release in < 3 weeks if true to Mac releases or, even better, one much sooner as it should be.

| ‎07-17-2007 02:20 PM
If this feature is found on other phones, why just publicize iPhone, a tiny percentage of the phones out there with similar capability?
Could it be just to generate buzz for SPI, and it has nothing to do with anyone actually succeeding with this ploy on any other phone, much less iPhone?
Methinks so.
| ‎07-17-2007 02:25 PM
Just to answer a few questions:

1-It's not a buffer overflow.

2- SPI has only investigated the iPhone. Its possible a similar type of issue applies to Treos or Windows Mobile devices

3-One of the many flaws allows making the phone dial numbers that other than the number appearing in the confirmation box. Sorry Akalias, its not that simple :-)
| ‎07-17-2007 02:32 PM
Tom: I agree with you that while(1) {alert('screwed')} is a lame Denial of Service. In fact, thats why modern browsers like IE 7/Firefox 2 pop a dialog saying allowing the user to kill the script. Opera has a checkbox on every dialog allowing the user to kill a script.

I assure you this is not the DoS we are discussing.
| ‎07-17-2007 02:42 PM
This functionality has been available on the Palm Treo for at least a couple of years. I have never heard a concern for this functionality on the Treo with the Blazer browser. Is the vulnerability specifically with the iPhone, the Safari browser, or with this type of dial from browser functionality in general?
| ‎07-17-2007 02:47 PM
Billy...Sorry for the redundant point. You answered my question by stating that you have only tested the iPhone. I started the comment before lunch when there were only two comments posted. I came back and finished the comment without refreshing the browser.
| ‎07-19-2007 09:24 AM
I would like to see this tested on a Treo and other phones that have this functionality in their browsers. It seems only fair — and even with whatever the iPhone sales numbers are, there are probably more of these other smartphones in the wild right now.

Plus, I can tell you that it's a PITA to update my Treo — and it doesn't really matter whether that's due to Palm or the carrier. If the iPhone is as easy to update as an iPod … well, a lot more iPhones will get patched than Treos. (I can't speak for BlackBerries or other devices.)
| ‎07-19-2007 03:27 PM

Only fair? Test the other phones yourself. There's no rule that a researcher has to go after every product is there?

For years, Windows based products have been hammered (and rightfully so) while Apple products were ignored - was that "fair"? Researchers have warned for a long time that when Apple products reach a critical level of popularity, they will get drastically increased scrutiny, and likely more flaws will be found. Guess what - that day arrived the day the iPhone shipped. Let the whining begin. . . oops, too late.

| ‎11-06-2007 10:31 PM
Very nice this blog =)
| ‎11-30-2007 08:09 AM

Summary The Apple iPhone version 1.0.0 web browser has a special feature that allows the user to dial

| ‎03-30-2008 05:13 PM

Many people want to learn SEO but they think it is too difficult.

| ‎04-16-2008 01:03 PM

For Your Free Classified Advertising


Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Showing results for 
Search instead for 
Do you mean 
About the Author

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.