The iOS 911 vulnerability was reported in 2008, usable in 2016

You might have thought that Apple would have been working on trying to fix up iOS right after an 18-year-old publicly executed a nasty exploit that could make the host device do supposedly anything from a click of a web link: call 911 repeatedly, send torrents of emails and performing other JavaScript tasks to do so much.

Well, it turns out that after doing a little more digging, one Collin Mulliner has been able to replicate the bug that the Arizona teenager put out. He was able to figure out how iOS apps that use the in-built WebView browser to display external webpages are vulnerable to a bug that traces back to iPhone OS 3. You know, before when the iPad and iPod touch got into the family.

Nowadays, when your iPhone reads the HTML of any page on Safari, it’s supposed to make sure you want to call the number requested through a dialog prompt. It used to simply dial and call the number upon read. Apple did patch this bug, but it has neglected to do so for the WebView browser.

That means that if you click on, say, a Facebook or Twitter link to a page coded in such a way, you are at peril with whatever the HTML code makes your phone do. In Mulliner’s simulated case, it is to call a certain number and lock out any input into the phone through a mix of bogging the phone with too much information at the same time.

Mulliner, who was able to use a bug he had in 2008 to work with an app with WebView in 2016, contacted both Twitter and Apple. The developer also has a bounty cap on his way.

Share This Post

Watch the Latest Pocketnow Videos

About The Author
Jules Wang
Jules Wang is News Editor for Pocketnow and one of the hosts of the Pocketnow Weekly Podcast. He came onto the team in 2014 as an intern editing and producing videos and the podcast while he was studying journalism at Emerson College. He graduated the year after and entered into his current position at Pocketnow, full-time.