Facebook-Messenger1

Facebook has begun rolling out an important update to its Facebook Messenger application on Monday, after it was found the app was susceptible to a security flaw forcing users’ iPhones to place expensive calls automatically – racking up a large bill.

Developer Andrei Neculaesei was first to identify the issue last week, saying scammers use the Uniform Resource Identifier (URI) scheme called ”tel” to trigger a call without a user knowing. Usually clicking on a link containing a phone number will take a user to Safari and then prompt them to confirm the call. However, apps like Facebook Messenger, Google+, Gmail, and FaceTime, make the call without asking the user.

Facebook told TechRadar that its update has been packaged and should be released any time now to address the URI issue, so we’ll be watching the App Store closely for its release. Facebook has become the first company to address the issue.

Furthermore in his findings, Neculaesei created a web page containing JavaScript that would launch a call by automatically clicking a link. Thus, the JavaScript automatically launches the phone number’s URI when the page is opened, creating a tricky situation for your phone.

Apple hasn’t commented publicly on the security matter.

[TechRadar via PC World]