The iOS 911 vulnerability was reported in 2008, usable in 2016
Well, it turns out that after doing a little more digging, one Collin Mulliner has been able to replicate the bug that the Arizona teenager put out. He was able to figure out how iOS apps that use the in-built WebView browser to display external webpages are vulnerable to a bug that traces back to iPhone OS 3. You know, before when the iPad and iPod touch got into the family.
Nowadays, when your iPhone reads the HTML of any page on Safari, it’s supposed to make sure you want to call the number requested through a dialog prompt. It used to simply dial and call the number upon read. Apple did patch this bug, but it has neglected to do so for the WebView browser.
That means that if you click on, say, a Facebook or Twitter link to a page coded in such a way, you are at peril with whatever the HTML code makes your phone do. In Mulliner’s simulated case, it is to call a certain number and lock out any input into the phone through a mix of bogging the phone with too much information at the same time.
Mulliner, who was able to use a bug he had in 2008 to work with an app with WebView in 2016, contacted both Twitter and Apple. The developer also has a bounty cap on his way.