Insecure Handling of URL Schemes in iOS
Nitesh Dhanjani posted a nice blog post as part of the SANS Application Security blog [1]. He discusses a particular interesting vulnerability in iOS. In iOS, like in other operating systems, application may register themselves to handle particular URL schemes. For example, a URL starting with "tel:" links to the telephone application.
However, how these URL schemes are dealt with depends on the application receiving these requests from the browser. The telephone application will for example prompt the user asking if it should dial the number. Skype on the other hand does not prompt the user. In order to prompt the user, the application has to fully load and start up. So at the very least the attacker may be able to load the application.
Desktop browsers, like for example Firefox, will first prompt the user for these external URL schemes (try "telnet:", which will launches a terminal and open telnet in most cases).
[1] https://blogs.sans.org/appsecstreetfighter/
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
My browser / game whatever app can only see a URL that is supposed to be handled externally.
Skype is to blame, but the more calls the badware makes, the more money they earn. And their prices for SkypeOut is already crazy, like double of going VoIP SIP rates.
PHP
Nov 10th 2010
1 decade ago
Terry
Nov 10th 2010
1 decade ago
Nick Moeck
Nov 10th 2010
1 decade ago