A Dangerous iPhone Bug Is Back, Thanks To Poor App Security


Back in the early 2010s, the iPhone had a strange, and nasty, bug which forced the iPhone to repeatedly call 911. The bug was quickly fixed, but last month it reared its ugly head again, much to the bafflement of Apple and tech watchers. How did it come back? It’s because the apps you use are desperate for clicks.

The bug is basically a denial-of-service attack: if you click on a malicious link, your phone dials 911 while opening a bunch of apps and windows simultaneously, locking up the user interface but not the call. If that sounds bad, well, it is; last month’s case saw a hundred 911 calls arrive to an Arizona response center in a matter of minutes. But how did it come back when Apple patched the problem years ago?

It turns out Apple only fixed Safari. You might notice that if you use an app like Twitter, you don’t go to Safari, but rather something called “WebView,” a pseudo-browser that mostly exists so you don’t leave the app. In part this is for a better user experience, so you can read and click back to the app more easily, but it also allows these apps to claim you spend more time on the app than you actually do, which looks good to investors. And nobody bothered to check if this bug worked with WebView, until now.

Until it’s patched, which will hopefully be quickly, iPhone users should protect themselves by avoiding WebView where possible and only clicking absolutely trusted links on apps that use WebView, like Twitter and LinkedIn. More relevantly, check these apps to see if you can opt to open links in Safari instead of WebView, and if not, contact the development team and ask them why.

(Via Bleeping Computer)

Around The Web