Last month, we covered the arrest of a teenager who utilised a bug to spread a malicious link on Twitter that forced iPhones to repeatedly call 911. And now, we finally know how the bug actually works.
The bug works after users click a link that forces an iPhone to dial a pre-determined number (like 911) and then refreshes the page or opens multiple apps in order to freeze the device’s user interface. This makes it almost impossible to cancel the call.
So you can comprehend how this is a bad bug. If one of these links was widely distributed on a platform like Twitter, countless 911 call centres could be flooded with calls being accidentally placed by people who were tricked into clicking a link. That’s exactly what happened in the recent case in Arizona. In the case of the teenager who was arrested, his local 911 call centre received a hundred calls “in a matter of minutes” according to statement by Maricopa County Sheriff’s office. Authorities in California and Texas were also affected.
What’s especially curious about this bug is that Apple actually fixed it a long time ago, back when iOS 3 was released. However, Apple’s fix only applied to its web browser, Safari. The patch didn’t include some of the pseudo browsers (called WebView) that operate within apps like Twitter or LinkedIn.
Here’s a video showing the bug in action:
The researcher who discovered this most recent iteration of the bug, Collin Mulliner, says he’s submitted details of the bug to Apple in hopes they will issue a patch soon. Mulliner also offered up another interesting theory as to how this bug could be utilised by a bad actor. A stalker, Mulliner says, could send this link to their victim, with the stalker’s number as the number set to dial, in order to then determine the victim’s phone number. That sounds terrifying.
Apple should definitely find a way to patch this bug very soon. [Bleeping Computer]