lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 7 Aug 2008 18:55:06 -0000
From: 0xjbrown41@...il.com
To: bugtraq@...urityfocus.com
Subject: Re: [SE-2008-01] J2ME Security Vulnerabilities 2008

* establishing of arbitrary phone calls

>From RFC 3966 (http://www.faqs.org/rfcs/rfc3966.html):

11.  Security Considerations

   The security considerations parallel those for the mailto URL
   [RFC2368].

   Web clients and similar tools MUST NOT use the "tel" URI to place
   telephone calls without the explicit consent of the user of that
   client.  Placing calls automatically without appropriate user
   confirmation may incur a number of risks, such as those described
   below:

   o  Calls may incur costs.
   o  The URI may be used to place malicious or annoying calls.
   o  A call will take the user's phone line off-hook, thus preventing
      its use.
   o  A call may reveal the user's possibly unlisted phone number to the
      remote host in the caller identification data and may allow the
      attacker to correlate the user's phone number with other
      information, such as an e-mail or IP address.

So, if you are referring to the callto: security risk on most all mobile browsers, they already know.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ