DOC RABE Media - Fotolia

How does a WebKit framework flaw enable denial-of-service attacks?

A vulnerability in Apple's WebKit framework allows attackers to initiate phone calls through mobile apps on victims' devices. Expert Michael Cobb explains how the attack works.

A researcher found that mobile apps with Apple's WebView embedded into them are vulnerable to denial-of-service attacks and phone calls initiated by attackers. An individual has been arrested for tweeting an exploit that resulted in a flood of calls being made by those who clicked on it to 911 emergency call centers. How does WebView work, and how are attackers taking advantage of it?

The WebKit framework that Apple uses allows iOS developers to display web content and implement common browser features, such as following hypertext links when clicked by the user and managing a history of pages visited recently. It greatly simplifies the complicated process of loading webpages.

WebView is the core view class in the WebKit framework, and it is used by many apps, such as Twitter and LinkedIn, as it can style and render content very efficiently.

There have been various vulnerabilities discovered in the WebKit framework over the years, and one that was reported to Apple by researcher Collin Mulliner back in 2008 appears to have resurfaced. The vulnerability allows an attacker to initiate phone calls to numbers of their choosing.

The WebKit framework vulnerability is trivial to exploit; an attacker only needs the victim to visit a site hosting a few simple, but malicious, lines of HTML code that redirects them to a Uniform Resource Identifier for telephone numbers (tel URI).

According to Mulliner, loading a tel URI should trigger a dialog box asking for the device user's permission to call the given number. However, he discovered that a tel URI can be opened automatically, bypassing any user interaction, if it's used as the source of an HTML iframe or frame, the URL of a meta refresh, the location of a HTTP 30x redirect, or as the location of the current or a new window using JavaScript. Mulliner also said the vulnerability could keep the user from canceling the call by forcing a second app onto the home screen, overlaying the dialer. Demo videos of the attacks against the Twitter and LinkedIn apps show an unresponsive UI while the call is being made.

The vulnerability is due to poor programming, combined with weak WebKit framework defaults and a possible bug with the handling of tel URIs. Due to its ease of exploitation, app developers that use WebView to display content should review their code and ensure that it is not vulnerable to this attack as soon as possible. Note that apps that open links in the Safari or Chrome mobile apps are not vulnerable. There should be code within an app that checks the URL schema before executing it, and that shows the user a pop-up dialog before executing a tel URI or opening another app on the device.

Until there are app mitigations against this attack, and Apple changes the default behavior of WebView, malicious or compromised sites can exploit this vulnerability to force a victim's phone to dial premium rate numbers; launch denial-of-service attacks, like the attack against the 911 service; or obtain the user's phone number.

Next Steps

Learn the basics of developing an iOS application

Find out how a bug in the Signal app allowed for the alteration of encrypted attachments

Read how the Instagram app can be turned into C&C infrastructure

This was last published in April 2017

Dig Deeper on Network security