Andrei Neculasei is a Romanian developer who works for a Danish company, and in an article published on personal blog he describes a extremely dangerous vulnerability for the iOS platform. More precisely, the vulnerability is in iOS's internal URL system, he discovering that certain applications can automatically call phone numbers when we access an internal link (or an external link to a website that contains an internal link with a phone number) for that phone number, even without knowing exactly what it does.
If you press in Safari such a link with a phone number attached, the browser will automatically display an alert asking if you want to call that phone number, but applications that use internal browsers (WebView) do not display this alert. In the image above, you have an animation made to demonstrate the vulnerability in operation in the application Facebook Messenger, but the applications FaceTime, gmail, Google+ and all those that use WebView are also affected.
Using this vulnerability, a hacker can trick you into calling toll-free phone numbers or even find out your identity, considering that the FaceTime application is also affected. Apple allows developers to force apps to display alerts for internal WebView browsers as well, but if they don't have the system active, if you're not careful what links you access from apps, you might end up calling unknown phone numbers via iPhone, in the case of iPad/iPod Touches only FaceTime calls are possible.
Having said that, the carelessness of the developers could cost us serious amounts of money if hackers want to take advantage of this vulnerability.
