0day vulnerability in iOS apps: Gmail, Google+ and FB Messenger

Intro

Normal people spend the night watching movies, reading articles, communicating on social networks or (yes, I know - this is strange) falling asleep on the bed.
I spend my nights reading documentation and testing a wide variety of applications and services.
One night, I just read the documentation about tel links , since I was delighted with the old technologies that have been used so far, their shortcomings and the fact that people never read the RFC, which leads them to RTFM PWNAGE (as I used to call).

Need to try

As soon as I finished reading the tel documentation, I looked at my iPhone and said: Cool, you need to try! I nakodil small HTML page and uploaded it to Safari, here is the code:

As soon as I clicked on the link, a dialog box appeared asking me if I really wanted to call 0000.

Apple

At this stage there was only my interest in tel links, I was not looking for vulnerability. But it hit me: Apple loves to change things very much and make things better, so maybe Apple has its own TEL documentation? And I was right
')

The string I fell in love with

Apple's documentation on the tel link is very short and easy to read. Reading the first paragraph, something caught my attention:

When a user clicks on the tel link on the page, iOS shows an alert that asks if the user really wants to dial a phone number and initializes the dial if the user presses on “I agree.” When a user opens a URL with a tel link through the installed application, iOS does not show an alert and initializes the call without further confirmation by the user.

Therefore, if I click on the link in Safari, I will get a window asking me if I really want to call, but if I click on the link in the webView of the installed application, the call will start without my confirmation.

Do people read documentation?

Not. This is sad

After reading, I was tormented by doubts about such “big players” as Facebook, Twitter, Google, LinkedIn, and so on. I thought that such "giants" could take care of such a small "hole", but as it turned out, I was wrong.

We test on the Facebook Messenger application

I sent the link to the page through Facebook Messenger, clicked on it to get through the webView to the page created earlier (social applications do not want you to leave the application and that is why such applications use webView), and then clicked the “click me” link:

Clicking the link initiates a call. Wait a minute ... this is not very good.

We make the link self-clicking

Many people think that things like links can only be clicked by the user. However yes not so! Using a cunning, but terribly javascript script, I made the link “self-clickable”.




Note: you can also do a redirect on the server side, throwing the user by tel link using the header ("Location: tel: // 0000")

Is this a security issue?

I can force you to dial any phone number with a single click on the link in any application that does not adjust the processing of tel links. So yes, this is a security issue.

Just imagine - I registered a paid phone number and sent you a link to Facebook Messenger or Twitter. You clicked and called me, I picked up the phone to withdraw some money from your account.

It is not right! Who is to blame?

Well ... Apple is not to blame. People don't read the documentation at all. The first paragraph of the tel link describes everything to the smallest detail - what happens when and how, and also clearly states that however installed applications can be configured to show their own alerts.

Who is not RTFM?

And now for everyone ...

be careful

While I tested this vulnerability on only a few applications of large companies, it can also be assumed that companies and smaller platforms did not even think about patching this vulnerability.

Author's note: By the way, everything is done the same way with iFrame.