updated 07:35 pm EST, Thu November 20, 2008
The Fraunhofer Institute for Secure Information Technology in Germany has allegedly discovered an iPhone vulnerability that allows a maliciously crafted website to force the phone to dial a number, according to Spiegel. The researchers claim that a programmer would only need to know basic programming, with just three lines of code required to exploit the issue. Clicking the link to a malicious site will cause the user to lose control of the device, with a white screen displayed until the call is made, then the screen and device are released.
The bug could have deeper implications than just a minor nuisance, particularly if an individual programs a site that forces the phone to dial a pay-per-call number. Many people have been scammed into calling phone numbers that carry the standard ten-digit domestic format, but the numbers actually connect to other countries or territories that might not require the charge disclosure. The combination of both scams could potentially victimize a large number of iPhone owners.
The institute claims that Apple was made aware of the issue before the public. The upcoming iPhone software update will include a security fix for the issue.