It seems like very week developers and researchers find new security holes in the systems and services we use everyday. Many of these vulnerabilities open users up to data theft and privacy attacks among other things, and now developer Andrei Neculaesei out of Copenhagen has discovered a flaw that could make your mobile phone make expensive calls without permission.
Phone numbers on web pages often times appear as links, in many cases clicking on the link will bring up a prompt asking for confirmation to place the call. The issue is that even though browsers like Safari will ask for user permission, some major services like Facebook Messenger and Google+ will go ahead and make calls without doing so.
Neculaesei, who works as a developer for a wireless streaming company known as Airtame, has found a malicious way to abuse the behavior of apps that don't ask for permission before making calls. Neculaesei was able to get mobile apps to dial phone numbers simply by visiting a webpage link. Obviously, attackers will be able to take advantage of security flaws like this quite easily. Neculaesei says that an attacker could easily fire off a link via Facebook Messenger for example, that could begin dialing expensive calls automatically when clicked.
Based on the developer's research, any app that does not require a permission/confirmation prompt is at risk, including Apple Facetime, Gmail and Google+. Neculaesei said he only tested a small number of top tier apps, but suggests it is likely the issue trickles down to others as well.
His research has been backed up by findings from other experts in the field who say attacks of this nature are certainly possible. It is based on presentations made at a security conference earlier this month, so hopefully security measures are already being looked at.