A researcher found that mobile apps with Apple's WebView embedded into them are vulnerable to denial-of-service...
attacks and phone calls initiated by attackers. An individual has been arrested for tweeting an exploit that resulted in a flood of calls being made by those who clicked on it to 911 emergency call centers. How does WebView work, and how are attackers taking advantage of it?
The WebKit framework that Apple uses allows iOS developers to display web content and implement common browser features, such as following hypertext links when clicked by the user and managing a history of pages visited recently. It greatly simplifies the complicated process of loading webpages.
WebView is the core view class in the WebKit framework, and it is used by many apps, such as Twitter and LinkedIn, as it can style and render content very efficiently.
There have been various vulnerabilities discovered in the WebKit framework over the years, and one that was reported to Apple by researcher Collin Mulliner back in 2008 appears to have resurfaced. The vulnerability allows an attacker to initiate phone calls to numbers of their choosing.
The WebKit framework vulnerability is trivial to exploit; an attacker only needs the victim to visit a site hosting a few simple, but malicious, lines of HTML code that redirects them to a Uniform Resource Identifier for telephone numbers (tel URI).
The vulnerability is due to poor programming, combined with weak WebKit framework defaults and a possible bug with the handling of tel URIs. Due to its ease of exploitation, app developers that use WebView to display content should review their code and ensure that it is not vulnerable to this attack as soon as possible. Note that apps that open links in the Safari or Chrome mobile apps are not vulnerable. There should be code within an app that checks the URL schema before executing it, and that shows the user a pop-up dialog before executing a tel URI or opening another app on the device.
Until there are app mitigations against this attack, and Apple changes the default behavior of WebView, malicious or compromised sites can exploit this vulnerability to force a victim's phone to dial premium rate numbers; launch denial-of-service attacks, like the attack against the 911 service; or obtain the user's phone number.
Learn the basics of developing an iOS application
Find out how a bug in the Signal app allowed for the alteration of encrypted attachments
Read how the Instagram app can be turned into C&C infrastructure
Dig Deeper on Denial of Service (DoS) Attack Prevention
Related Q&A from Michael Cobb
The development of WPA3 helps advance Wi-Fi protocol, as the next generation of Wi-Fi-enabled devices begins to demand more. Expert Michael Cobb ... Continue Reading
An increase of IoT botnets has been seen since the Mirai malware source code was leaked. Learn how the new variants pose to be a serious threat to ... Continue Reading
Android Pixel vulnerabilities could open the smartphone up to attack. Expert Michael Cobb explains the vulnerabilities and how to defend against them. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.