Released since Apple published the iPhone 3.0 security fixes.
--- BEGIN ADVISORY ---
Manufacturer: Apple (www.apple.com) Device: iPhone 3G (iPhone 1st Gen) Firmware: 2.1 (possible earlier versions) Device Type: smart phone
Subsystems: Safari (and mobile telephony)
Short name: iPhone Safari phone-auto-dial (vulnerability)
Vulnerability class: application logic bug
Executive Summary: A malicious website can initiate a phone call without the need of user interaction. The destination phone number is chosen by the attacker.
Risk: MEDIUM-HIGH Medium to high risk due to the possibility of financial gain through this attack by calling of premium rate numbers (e.g. 1-900 in the U.S.). Denial-of-service against arbitrary phone numbers through mass-calling. User cannot prevent attack.
Reporter: Collin Mulliner <collin[AT]mulliner.org>
Affiliation: MUlliNER.ORG / the trifinite group / (Fraunhofer SIT)
Oct. 20. 2008: Reported vulnerability to vendor. Oct. 20. 2008: Vendor acknowledges receiving our email. Not commenting on the vulnerability itself. Oct. 27. 2008: Sent update to vendor, also requesting a status report. Oct. 29. 2008: Reply from vendor acknowledging the vulnerability. Oct. 30. 2008: Sent additional information. Nov. 13. 2008: Vender says vulnerability is fixed in upcoming OS version. Nov. 20. 2008: Public disclosure. Jun. 18. 2009: Full-Disclosure.
iPhone OS 2.2 iPhone OS 2.2.1 iPhone OS 3.0
The Safari version running on the iPhone supports handling the TEL  protocol through launching the telephony/dialer application. This is done by passing the provided phone number to the telephony application. Under normal conditions, loading a tel: URI results in a message box asking the user's permission to call the given number. The user is presented with the simple choice to either press call or cancel.
We discovered a security vulnerability that dismisses the "ask for permission to call" dialog in a way that chooses the "call" option rather than the "cancel" option.
This condition occurs if a TEL URI is activated at the same time Safari is closed by launching an external application, for example launching the SMS application (in order to handle a SMS URI ). The SMS application can be launched through placing a SMS URI as the source of an iframe. This is shown in the first proof-of-concept exploit below.
Further investigation showed that this behavior can be reproduced by launching other applications such as: Maps, YouTube, and iTunes. Launching these applications can be achieved through loading special URLs using the meta refresh tag. This is shown in the second proof-of-concept exploit below.
Finally, we discovered a second bug that can be used to perform malicious phone calls that cannot be prevented or canceled by the victim. This bug allows the attacker to freez the GUI (graphical user interface) for a number of seconds. While the GUI is frozen the call progresses in the background and cannot be stopped by the victim user. Freezing the GUI is achieved by passing a "very long" phone number to the SMS application. The SMS application, immediately after being started, freezes the iPhone GUI. Also switching off the iPhone cannot be performed fast enough in order to prevent the malicious call.
 http://www.rfc-editor.org/rfc/rfc3966.txt  http://tools.ietf.org/html/draft-antti-gsm-sms-url-04
The dialing dialog is clearly shown to the user also the user, in most cases, can't press cancel quick enough in order to stop the initiation of the call. Once the external application is launched, the telephony application is running in the background performing the call. Only the call forwarding dialog (containing the "dismiss" button) indicates a call being made.
Proof-of-Concept with plain HTML using the SMS application:
<html> <head> <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner </title> </head> <body> <iframe src="sms:+14089748388" WIDTH=50 HEIGHT=10></iframe> <iframe src="tel:+14089748388" WIDTH=50 HEIGHT=10></iframe> <!-- second iframe is to attack quick users who manage to close the first call-dialog //--> <iframe src="tel:+14089748388" WIDTH=50 HEIGHT=10></iframe> </body> </html>
Proof-of-Concept attack where the victim user cannot stop the malicious phone call:
More Detailed Information:
Demo video available at: http://www.mulliner.org/iphone/
--- END ADVISORY ---
-- Collin R. Mulliner <email@example.com> info/pgp: finger firstname.lastname@example.org If Bill Gates had a nickel for every time Windows crashed... Oh wait, he does!