Threat level definition
Search:
Home
Bugtraq
Vulnerabilities
Mailing Lists
Jobs
Tools
Vista
News
Infocus
Foundations
Microsoft
Unix
IDS
Incidents
Virus
Pen-Test
Firewalls
Columnists
Mailing Lists
Newsletters
Bugtraq
Focus on IDS
Focus on Linux
Focus on Microsoft
Forensics
Pen-test
Security Basics
Vuln Dev
Vulnerabilities
Jobs
Job Opportunities
Resumes
Job Seekers
Employers
Tools
RSS
News
Vulns
Security Research
BugTraq
Back to list
|
Post reply
Re: [SE-2008-01] J2ME Security Vulnerabilities 2008
Aug 07 2008 06:55PM
0xjbrown41 gmail com
* establishing of arbitrary phone calls
From RFC 3966 (http://www.faqs.org/rfcs/rfc3966.html):
11. Security Considerations
The security considerations parallel those for the mailto URL
[RFC2368].
Web clients and similar tools MUST NOT use the "tel" URI to place
telephone calls without the explicit consent of the user of that
client. Placing calls automatically without appropriate user
confirmation may incur a number of risks, such as those described
below:
o Calls may incur costs.
o The URI may be used to place malicious or annoying calls.
o A call will take the user's phone line off-hook, thus preventing
its use.
o A call may reveal the user's possibly unlisted phone number to the
remote host in the caller identification data and may allow the
attacker to correlate the user's phone number with other
information, such as an e-mail or IP address.
So, if you are referring to the callto: security risk on most all mobile browsers, they already know.
[ reply ]
Privacy Statement
Copyright 2008, SecurityFocus
From RFC 3966 (http://www.faqs.org/rfcs/rfc3966.html):
11. Security Considerations
The security considerations parallel those for the mailto URL
[RFC2368].
Web clients and similar tools MUST NOT use the "tel" URI to place
telephone calls without the explicit consent of the user of that
client. Placing calls automatically without appropriate user
confirmation may incur a number of risks, such as those described
below:
o Calls may incur costs.
o The URI may be used to place malicious or annoying calls.
o A call will take the user's phone line off-hook, thus preventing
its use.
o A call may reveal the user's possibly unlisted phone number to the
remote host in the caller identification data and may allow the
attacker to correlate the user's phone number with other
information, such as an e-mail or IP address.
So, if you are referring to the callto: security risk on most all mobile browsers, they already know.
[ reply ]