CSRF ramblings
I was reading over this post by Robert Hansen of SecTheory just after reading a post of mine about Opera phone integration. It got me to thinking, specifically this part.
It will also have phone to tag support, which basically turns any numbers formatted like a phone number into a link, when it’s clicked the phone will call it. Pretty nifty stuff.
That would be some damn interesting CSRF. Take control over the browser and force the loading of the phones calling directive(e.g. callto://). You could get a person to call your costly line while they are browsing the net. Use caller ID and add them to some sort of calling list. If the phone and browser are integrated enough, perhaps even steal some other data like contacts or service provider, or even their phone number if they have their number privately listed.
As if I needed another reason to hate phones.
Interesting thought with the Opera phone. I remember reading a article a few months back about a similar issue with Javascript able to auto dial Skype links within Mozilla. I can’t find the link at the moment.
It is interesting to watch the new types of vulnerabilities popping up as we bring more intelligence and capability to the phones. A pesky piece of malware has a much larger impact when it can make international phone calls and result in charges to someone’s bill