Bugtraq mailing list archives
Re: [SE-2008-01] J2ME Security Vulnerabilities 2008
From: 0xjbrown41 () gmail com
Date: 7 Aug 2008 18:55:06 -0000
* establishing of arbitrary phone calls
From RFC 3966 (http://www.faqs.org/rfcs/rfc3966.html):
11. Security Considerations The security considerations parallel those for the mailto URL [RFC2368]. Web clients and similar tools MUST NOT use the "tel" URI to place telephone calls without the explicit consent of the user of that client. Placing calls automatically without appropriate user confirmation may incur a number of risks, such as those described below: o Calls may incur costs. o The URI may be used to place malicious or annoying calls. o A call will take the user's phone line off-hook, thus preventing its use. o A call may reveal the user's possibly unlisted phone number to the remote host in the caller identification data and may allow the attacker to correlate the user's phone number with other information, such as an e-mail or IP address. So, if you are referring to the callto: security risk on most all mobile browsers, they already know.
Current thread:
- [SE-2008-01] J2ME Security Vulnerabilities 2008 Security Explorations (Aug 07)
- <Possible follow-ups>
- Re: [SE-2008-01] J2ME Security Vulnerabilities 2008 0xjbrown41 (Aug 07)
- re: [SE-2008-01] J2ME Security Vulnerabilities 2008 Security Explorations (Aug 08)
- Re: Re: [SE-2008-01] J2ME Security Vulnerabilities 2008 0xjbrown41 (Aug 08)