Security researchers at SPI Labs are warning iPhone users not to use the device's web dialer, a feature intended to give users an easy way to call numbers listed on web pages. According to lead researcher Billy Hoffman, attackers could exploit a bug in this feature to trick a victim into making phone calls to expensive "900" numbers or track calls placed by the iPhone owner.
"Because this vulnerability can be launched from web sites, everybody who has an iPhone has the potential to get exploited," Hoffman said. "Any time someone could control the content that's getting sent to the iPhone [the possibility of an attack] exists"
He warned that these types of attacks can be launched from a malicious website or from a legitimate website that has cross-site scripting vulnerabilities. SPI said that the issue was reported to Apple on July 6 and that they are currently working with Apple to create a fix. Hoffman recommends that iPhone users should not use the built-in Safari browser to dial telephone numbers until Apple resolves these issues.
Hackers have been trying to spot security vulnerabilities in Apple's iPhone since day one, and already they're scoring points. Recently, the folks over at Applehound posted a list of bugs discovered on the device, counting up to 68 bugs so far. Apple has yet to comment on these security issues.