Facebook has begun rolling out an important update to its Facebook Messenger application on Monday, after it was found the app was susceptible to a security flaw forcing users’ iPhones to place expensive calls automatically – racking up a large bill.

Developer Andrei Neculaesei was first to identify the issue last week, saying scammers use the Uniform Resource Identifier (URI) scheme called ”tel” to trigger a call without a user knowing. Usually clicking on a link containing a phone number will take a user to Safari and then prompt them to confirm the call. However, apps like Facebook Messenger, Google+, Gmail, and FaceTime, make the call without asking the user.

Facebook told TechRadar that its update has been packaged and should be released any time now to address the URI issue, so we’ll be watching the App Store closely for its release. Facebook has become the first company to address the issue.

Furthermore in his findings, Neculaesei created a web page containing JavaScript that would launch a call by automatically clicking a link. Thus, the JavaScript automatically launches the phone number’s URI when the page is opened, creating a tricky situation for your phone.

Apple hasn’t commented publicly on the security matter.

[TechRadar via PC World]

  • kimberlyrmaddox

    S­­­­­­­­­t­­­­­­­­­a­­­­­­­­­r­­­­­­­­­t­­­­­­­­­ w­­­­­­­­­o­­­­­­­­­rk­­­­­­­­­in­­­­­­­­­g a­­­­­­­­­t­­­­­­­­­ ho­­­­­­­­­m­­­­­­­­­e w­­­­­­­­­it­­­­­­­­­h G­­­­­­­­­oo­­­­­­­­­gl­­­­­­­­­e! It­­­­­­­­­’s by-­­­­­­­­­far­­­­­­­­­ the­­­­­­­­­ best­­­­­­­­­ j­­­­­­­­­ob­­­­­­­­­ I’v­­­­­­­­­e ha­­­­­­­­­d­­­­­­­­­. ­­­­­­­­­Last­­­­­­­­­ Thurs­­­­­­­­­day­­­­­­­­­ I­­­­­­­­­ go­­­­­­­­­t ­­­­­­­­­a ­­­­­­­­­bran­­­­­­­­­d­­­­­­­­­ n­­­­­­­­­ew ­­­­­­­­­BM­­­­­­­­­W since­­­­­­­­­ ­­­­­­­­­getti­­­­­­­­­ng­­­­­­­­­ a­­­­­­­­­ che­­­­­­­­­ck­­­­­­­­­ for­­­­­­­­­ ­­­­­­­­­$­­­­­­­­­6­­­­­­­­­474­­­­­­­­­ thi­­­­­­­­­s­­­­­­­­­ – ­­­­­­­­­4­­­­­­­­­ wee­­­­­­­­­ks p­­­­­­­­­ast­­­­­­­­­. I­­­­­­­­­ began­­­­­­­­­ this­­­­­­­­­ 8-months­­­­­­­­­ ago­­­­­­­­­ and­­­­­­­­­ immediately­­­­­­­­­ was­­­­­­­­ ­bringing­­­­­­­­­ home­­­­­­­­­ at­­­­­­­­­ least­­­­­­­­­ ­­­­­­­­­$­­­­­­­­­7­­­­­­­­­7­­­­­­­­­ pe­­­­­­­­­r ho­­­­­­­­­ur­­­­­­­­­. I­­­­­­­­­ work­­­­­­­­­ through­­­­­­­­­ this­­­­­­ ­­ link­­­­­­­­­, g­­­­­­­­­o? t­­­­­­­­­o tech­­­­­­­­­ tab­­­­­­­­­ for­­­­­­­­­ work­­­­­­­­­ detail,,,,,,,

    >>>>>>>> http://­x­u­rl.­es/8qmin


    • johnnytalks

      Seems legit

    • Jonathan

      We no like robots here… just humans.

      • Dani Hayes

        What about cyborgs??

      • Jonathan

        Wish I didn’t google search that…

      • Dani Hayes

        Why is that??

  • Jonathan

    Eh, who uses Facebook Messenger? I just used that Facebook loophole and regained messaging in the Facebook app (thanks to iDB)

    • felixtaf

      An unintended touch in chat window of Facebook app takes you right to Facebook messenger. Annoying!
      (Thanks to iDB of-course)

    • I use Facebook messenger and love it.

      • Delis Encarnacion

        so basically you love giving a social network access to most of what you store on your phone. Stripping you of your privacy. or did i miss something?

      • Yup. Don’t forget they can see me taking showers too.

      • James Gunaca

        If you have the Facebook app on your phone, it has almost all the same privacy permissions as the Messenger app. So, if you want privacy, just don’t use the apps.

        Why do people still not get this?

      • Ignorance.

      • James Gunaca

        I’m with you here. I think it’s pretty cool. I don’t use it much, but it’s a pleasant experience.

    • Marcus

      I use Facebook Messenger and I love it. I’ve been using it for about a year now and it’s just awesome. It’s really fast and I don’t understand any of the hate towards it.

  • Jack Smith

    Surely the user will see the phone dialling unless its not being shown to them. But as a developer I can’t make an app do that so how can someone with a security flaw in the app do that.

    • It’s a bug with iOS. To my knowledge all Facebook is doing is hijacking the tel:// URI within their app and asking the user if they want to call the number…

  • JulianZH

    or just uninstall it.