RETURN $ecure;

Security, Technology and Life

CSRF ramblings

with one comment

I was reading over this post by Robert Hansen of SecTheory just after reading a post of mine about Opera phone integration. It got me to thinking, specifically this part.

It will also have phone to tag support, which basically turns any numbers formatted like a phone number into a link, when it’s clicked the phone will call it. Pretty nifty stuff.

That would be some damn interesting CSRF. Take control over the browser and force the loading of the phones calling directive(e.g. callto://). You could get a person to call your costly line while they are browsing the net. Use caller ID and add them to some sort of calling list. If the phone and browser are integrated enough, perhaps even steal some other data like contacts or service provider, or even their phone number if they have their number privately listed.

As if I needed another reason to hate phones.


Written by Rodney G

02/18/2008 at 7:41 pm

One Response

Subscribe to comments with RSS.

  1. Interesting thought with the Opera phone. I remember reading a article a few months back about a similar issue with Javascript able to auto dial Skype links within Mozilla. I can’t find the link at the moment.

    It is interesting to watch the new types of vulnerabilities popping up as we bring more intelligence and capability to the phones. A pesky piece of malware has a much larger impact when it can make international phone calls and result in charges to someone’s bill

    Michael Coates

    02/21/2008 at 8:35 am

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: