Twitter: iOS App can establish Facetime calls without user's permission

ID H1:28500
Type hackerone
Reporter gepeto42
Modified 2015-04-27T13:03:04


When URL Schemes for local applications are inserted in an inline frame, the web view launches them automatically.


<header><title>Facetime Audio URL Scheme Test</title></header>
<iframe src="facetime-audio://"></iframe>

This page ( which you can also find at ) - when loaded from Twitter on iOS (including 8), automatically establishes a Facetime Audio call to me, leaking the user's email address or phone number (caller ID information for their Facetime account).

I marked this as a CSRF but that isn't technically correct, but it is similar in behavior.

Thank you.