Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
IOS Advertising Iphone Security

Advertisers Already Using New iPhone Text Message Exploit 111

Andy Smith writes: The annoying App Store redirect issue has blighted iPhone users for years, but now there's a new annoyance and it's already being exploited: Visit a web page on your iPhone and any advertiser can automatically open your messages app and create a new text message with the recipient and message already filled in. We can only hope they don't figure out how to automatically send the message, although you can bet they're trying.
This discussion has been archived. No new comments can be posted.

Advertisers Already Using New iPhone Text Message Exploit

Comments Filter:
  • by Anonymous Coward on Tuesday September 29, 2015 @12:36PM (#50620529)

    Visit a web page on your iPhone and any advertiser can automatically open your messages app

    You'll forgive me if I dont click that

    • It's ok to visit and read the article, but use a PC, not an Apple product. May I recommend Firefox on Linux?

      • It's ok to visit and read the article, but use a PC, not an Apple product. May I recommend Firefox on Linux?

        Firefox?

  • See (Score:5, Insightful)

    by Greyfox ( 87712 ) on Tuesday September 29, 2015 @12:38PM (#50620541) Homepage Journal
    It's shit like that that drives people to adblock. And also to class action lawsuits.
    • Re:See (Score:5, Insightful)

      by jellomizer ( 103300 ) on Tuesday September 29, 2015 @12:46PM (#50620593)

      Exactly, Adblocking for the most part isn't about trying to stop advertising that helps pay for the operation of the website, but to stop abusive add companies that attempt to turn your full device into an advertising media. Especially when it gets past the site you are viewing, then the add revenue doesn't go to the web-site but only to the advertising company, thus creating a no benefit business model.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        I do not currently and do not expect to ever have a personal opposition to advertisements hosted on the same server as the page I am viewing and inserted by server-side script.

        So long as the advertisements are handled by a third party client-side script, page owners can claim ignorance of what is being advertised through their page. This willful refusal to asses their own contribution to the spread of malicious software is why I have no doubts about my decision to use ad blockers and a nice big host file.

        • I do not currently and do not expect to ever have a personal opposition to advertisements hosted on the same server as the page I am viewing and inserted by server-side script.

          No, no scripts.. certainly not without asking permission to run. They can put up regular old HTML static pictures and text in the main page.

          The only safe browser we will soon have is one that just views the page source without parsing it.

          • Re: (Score:2, Informative)

            by Anonymous Coward

            Server-side scripting is just a fancy way of saying "static HTML generated by the server and sent to your client as-is". It's not a script you have to run, as that would be client-side scripting (a.k.a. Javascript).

            For all practical intents and purposes, "server-side scripting" produces static HTML. (The only reason there's a distinction at all is because of page caching.)

          • Do you not understand what server-side scripting is?

            Hint: it's different from client-side scripting. And turning off JavaScript in your browser has no effect on it.

      • Re:See (Score:5, Insightful)

        by JustAnotherOldGuy ( 4145623 ) on Tuesday September 29, 2015 @01:24PM (#50620831)

        Exactly, Adblocking for the most part isn't about trying to stop advertising that helps pay for the operation of the website, but to stop abusive add companies

        Bingo. I'd be happy seeing a reasonable number of non-intrusive ads on a page, but that's not the problem here.

        I run AdBlock specifically to try and avoid the malware-laden ads and auto-playing ads with sounds. I have no problem with text ads whatsoever, but when ads cross the line and infect my PC or blare sound unrequested, that's it.

        The advertisers have really brought this on themselves for the most part. Not 100% of the blame, but ~95% of the blame is on them.

        I say 95% because I realize it's hard to vet every ad, especially those with flash, but that's not my problem- it's their problem and if they can't get a grip on it then they completely lose my eyeballs.

        Really, I don't mind a reasonable number of benign ads, but infecting my PC isn't something I'm willing to agree to.

        • The advertisers have really brought this on themselves for the most part. Not 100% of the blame, but ~95% of the blame is on them.

          Yep, it's that miscreant 95% that give the other 5% a bad name!

      • Note that advertisement, advertiser, advertising, etc each have 1 letter D. "Add" is a mathematics term.

      • Yes - right on.

        I've noticed that many websites that link from FB in the mobile app are overtaken by the ads they serve. I tried reading a newsy item and each time the site came up briefly before auto-forwarding to some spamy ad site instead. Pressing the Back button didn't work - the original site was unusable.

        These bad-ads are affecting "legitimate" content sites.

        I haven't seen this behavior in mobile Chrome. But whatever browser FB uses isn't all that secure. I've wondered how much extra tracking happ

    • Re: (Score:2, Flamebait)

      by Grishnakh ( 216268 )

      Maybe, but I don't really see the problem here. This is the price you pay for using Apple products. You can't even install a different browser like Firefox on Apple's iCrap devices because they won't allow anything that doesn't use their own WebKit renderer, so everything is going to be stuck with whatever vulnerabilities that the regular Apple browser has.

      Android has its issues to be sure, but at least you're allowed to install whatever browser you want on an Android device. So if the built-in one sucks

    • I find sometimes it is best to make it blow up to get it fixed.

      Sometimes a bug is managed and annoys a lot of people.

      Remember the fake PC support scam from a year ago? The calls have pretty much stopped once it became game on to call them and abuse them in a virtual PC and post the results online.

      If this remains unfixed, there should be some way to bait it to overload the workers responding and never sending money.

      How many users can a gambling website support who have no credit cards? Join and try to get

  • I know I'm an odd ball, cynical, and critical. As proof, I use my phone as a Phone and iPod. I didn't like Palm Pilots either, for some of the same reasons. The screen is too small, the keyboard sucks ass, and it's too slow. Phones added a new dimension though.. which is whether or not I trust a network my phone connects to that I can't see or audit.

    You can do what ever you want on your phone in my opinion. The vendor should be responsible for teaching people risks, but risks are then up to the consume

    • Yep. Its not my 'phone', its my pocket computer and is an extension of my secured network. No your kid cant play games on my pocket computer.
    • Yes, the on-screen keyboards on phones are a pain to type on. However, it's better than nothing at all, or in many cases trying to lug around a laptop. That's why many of us use them.

      I guess if you never leave your parents' basement, then you might not see the use in a handheld mobile communication device with internet access.

  • by Anonymous Coward

    Let's fine them $100k per infraction

  • by Anonymous Coward

    It's not an "exploit"!

    You've been "productized" and then "monetized".

  • Computer fraud ... (Score:5, Interesting)

    by gstoddart ( 321705 ) on Tuesday September 29, 2015 @12:43PM (#50620581) Homepage

    So when will we start holding ad agencies accountable for what is basically hacking?

    This is precisely why I will never have any qualms about blocking every damned ad site I can possibly identify ... because they're all ran by assholes who feel entitled to do anything they wish.

    They're untrustworthy, and willing to do anything for a buck. Which means we should be blocking the hell out of this shit.

    Boo hoo to anybody who says they need the ad revenue ... unless you plan on being accountable for this shit done by your advertisers, stop expecting us to trust them or you.

    • I didn't read TFA but i think these advertisers are using a feature.
      Am i wrong?
      • I am reading your comment's parent to mean that, if people are charged with "hacking" for doing much less, why not these ad agencies?
        • I am reading your comment's parent to mean that, if people are charged with "hacking" for doing much less, why not these ad agencies?

          The main reason? The ad agencies are corporations with plenty of lawyers. It takes far less time and resources to prosecute a private individual. Additionally, the private individual has little or no PR capability to make the state look like bad guys for doing so (that part would come naturally to an ad agency).

    • by Anonymous Coward

      You assume these ad agencies are reputable businesses that aren't fly by night shells (all the way down) designed to do nothing but fleece their clients and remorselessly annoy their targets.

      Selling ads online is really about dividing saps from their money as quickly as possible

  • Or they can just give us an option to disable Safari from doing anything other than web browsing.

    • by sims 2 ( 994794 )

      You can actually turn off javascript in safari.

      Settings > Safari > Advanced > JavaScript

      Breaks a lot fixes a lot.

      Pretty much eliminates browser crashes tho.

      • by cfalcon ( 779563 )

        Still frustrating to not have access to noscript. I want scripts on my bank. I want scripts on some web forums that I trust. I don't want scripts in general.

  • by ZorinLynx ( 31751 ) on Tuesday September 29, 2015 @12:56PM (#50620661) Homepage

    Why is there an API for sending a text message from a web page? Why does this need to exist at all?

    You'd think someone at Apple, when they came up for this idea for this, would be shot down by someone else saying "Sorry dude, this is a feature that can be abused."

    Same deal with javascript being able to open the App Store. WHY??

    • The most likely thing is so that web-pages can have links to their app.

      I agree it's idiotic and open for abuse.

      I want my browser locked down in a sandbox and largely precluded from interacting with the rest of the OS, but apparently they don't make those.

      Why do we keep trusting the web? Because time and time again it proves to be anything but trustworthy.

    • by cdrudge ( 68377 ) on Tuesday September 29, 2015 @01:10PM (#50620743) Homepage

      Why is there an API for sending a text message from a web page? Why does this need to exist at all?

      You'd think someone at Apple, when they came up for this idea for this, would be shot down by someone else saying "Sorry dude, this is a feature that can be abused."

      It wasn't shot down when mailto: [mailto] was included in the HTML spec. As long as the API doesn't allow you to actually send it without further consent, how is it any different than every other app's "Send to Facebook|Twitter|Email|Whatever" functionality?

      • Why is there an API for sending a text message from a web page? Why does this need to exist at all?

        You'd think someone at Apple, when they came up for this idea for this, would be shot down by someone else saying "Sorry dude, this is a feature that can be abused."

        It wasn't shot down when mailto: [mailto] was included in the HTML spec. As long as the API doesn't allow you to actually send it without further consent, how is it any different than every other app's "Send to Facebook|Twitter|Email|Whatever" functionality?

        The difference is money.

        For many people, there is a cost per message (over some monthly limit) to send/receive texts, and 'subscription' texts (as the ad in the article was apparently trying to set up through this sketchy exploit) charge the user above and beyond the carrier costs. Posting to FB or Twitter doesn't carry any significant cost rider (just loss of dignity, but that's going cheap nowadays), unless the payload is big enough to impact data costs. Even emails are not individually metered like tex

        • by Ronin Developer ( 67677 ) on Tuesday September 29, 2015 @02:06PM (#50621173)

          However, there is no cost if you don't hit "Send". You have the option to cancel the text just as we have done for years with mailto: links.

          Now, if they figure out how to actually send the text without consent, that's another game altogether.

          • However, there is no cost if you don't hit "Send". You have the option to cancel the text just as we have done for years with mailto: links.

            Now, if they figure out how to actually send the text without consent, that's another game altogether.

            If you accidentally hit 'Send' on a mailto link, there are no monetary consequences either, unless there's a whack of data attached to the email. If you do on the text, you're unwittingly establishing a monetary contract to pay some asshat real dollars on a regular basis. I have also heard that once 'subscribed' to these jerks, it can be hellish to get them to 'unsubscribe' you.

            They're banking on the fact that the user a) is a fumble-fingered idiot like me, or b) isn't technically savvy enough to know how

        • As long as the API doesn't allow you to actually send it...

          the difference ceases to be money.

    • by idji ( 984038 )
      this is probably just using IPhone URL Schema [akosma.com] to make an sms: URL, just like a mailto: URL, and no I don't think they can click send - that can only be done within the message app.
    • by sims 2 ( 994794 )

      Someone definitely should have said no to the text api I can't think of any good reason to have one.

      A clickable link for app store apps was a good idea.
      But they fked up when they allowed scripts to open it.

      Why do almost none of the 3rd party browsers allow you to switch off javascript? You can turn it off in safari why not the others? Is it really that complicated to not run javascript?

    • by tlhIngan ( 30335 ) <slashdotNO@SPAMworf.net> on Tuesday September 29, 2015 @01:17PM (#50620787)

      Why is there an API for sending a text message from a web page? Why does this need to exist at all?

      You'd think someone at Apple, when they came up for this idea for this, would be shot down by someone else saying "Sorry dude, this is a feature that can be abused."

      Same deal with javascript being able to open the App Store. WHY??

      JavaScript can't open the App Store. What it can do is open a link to iTunes. What happens here is if you click a link that points to iTunes (iTunes Preview), on the desktop, it goes to a page that shows you the target, followed by a button that says "Open in iTunes" at which point iTunes is supposed to open and go to the app/music/movie/tv page of that item.

      On iOS, if you do the same, instead of iTunes opening, it goes to the appropriate store that sellsthe item. This is a regular feature and it's the same on iOS or Android. If you click on the "Apple App Store" button or the "Get it on Google Play", same result - it takes you to that product page in the appropriate store. Both are basically links that get treated specially.

      Likewise, it's possible to do text messaging - iOS has the ability to recognize phone numbers on webpages, and if you tap them, gets you the ability to send a text or phone that number. (Sometimes its heuristics mess up in humorous ways).

      That's by design.

      However, iOS does not allow anyone to send a text, make a phone call, send an email or other things without manual intervention. Siri can do it, but only after Siri composes it for you. Again, this is for safety purposes - apps cannot programmatically run up your phone bill. So at worst, you have an app switch out to Messages or Mail or the App Store on you. But at that point, you must tap "Purchase" or "Send" to actually perform the task. (a webpage can't do it because that point, the other app is onscreen)

      I wouldn't call this a new phenomena ... I have seen ads do this for years - especially on mobile ones where they pop up a full screen interstitial that advertises some freemuim game and the javascript calls open() on it which triggers the app store.

      It's really a form of advertising that's existed on desktops for years exploiting the new mobile technology, except instead of switching between apps, it's triggering plugins.

      Heck, the email one is really a lot like mailto: URLs that can fill in the To, Subject and body of a message, and wait for you to click Send.

    • WHY you ask?

      Perhaps it was Lone Starr who said it best when exclaiming, "We're not just doing it for money...We're doing it for a shitload of money!"

    • by Spaham ( 634471 )

      it's a BUG, dude...

    • Same deal with javascript being able to open the App Store. WHY??

      Well, I have an app in both the app store and the play store. So, when i talk about it, I use a URL that checks which os is hitting it, and redirects to the appropriate store. Great for tweeting, cards (next to the QR codes for each store), etc.

  • It sounds like Apple has pretty shitty customer support. Good thing I don't own any Apple products. Fuck Apple.
  • by Anonymous Coward on Tuesday September 29, 2015 @01:24PM (#50620839)

    Well, not a real war. I mean, it's just the Internet, so like a hacker war or something. And I'm probably not going to do anything about it. Don't know anything about hacking, personally But I'm sure someone somewhere out there will take up the torch! I just need a catchy hashtaggy thingy, and I guess I'd have to make a Twitter account? Wow, that sounds like a lot of work for a war. Uh, I guess someone else who already uses Twitter would have to do that part.

    Anyway, I've done my part. It's now up to you, random outraged people of the Internet! Focus your anger and hatred into something positive and wage unholy war on these adver--what's that? 50% off penis enlargements and porn? HOW DO I HIT SEND FASTER!? AWAY!!

  • mailto: (Score:4, Insightful)

    by Aaden42 ( 198257 ) on Tuesday September 29, 2015 @01:31PM (#50620887) Homepage

    How is this different than a mailto: link which can populate the subject, body, etc. but not actually send it until you tap send?

    • Re:mailto: (Score:5, Insightful)

      by clonehappy ( 655530 ) on Tuesday September 29, 2015 @01:42PM (#50620985)

      It's not.

      Just like every meatspace annoyance turned into public hyperventilation when translated into computer annoyances, now every regular computer annoyance means public hyperventilation when translated into mobile annoyances.

      Even for slashdot, calling this an "exploit" is a fucking stretch. But oh yeah, fuck Apple or something...

    • How is this different than a mailto: link which can populate the subject, body, etc. but not actually send it until you tap send?

      While I don't use iJunk, my guess is that it's not set up to be one transparently and/or intentionally in the coding--so, it's basically a case where intent made the difference between a useful feature and a security hole.

  • In that case we'll all continue to run ad blockers until you guys are able to figure out which ads are good and which are bad. This fiasco should serve as motivation for the ad industry to start aggressively self-regulating, including funding action against rule breakers. They'll be the death of your industry if you allow them to continue.
  • by Adam Simons ( 2881717 ) on Tuesday September 29, 2015 @02:30PM (#50621323)
    Using the SMS URL scheme in Chrome on Android does the exact same thing. If any webpage has a link or uses Javascript to simulate a click to an SMS URL, it will bring up your default messaging app with a pre-populated phone number and optional message.

    [a href="sms:+18005551234?body=hello%20there"]SMS Me[/a]

    Like iOS, this does not automatically send the message. I don't know why this is not reported as being just a feature of modern browsers like the old mailto: tag. This is a feature, not an exploit. Whether or not it should even be a feature in the first place is another argument altogether.
  • If an ad is caught doing this the app gets pulled from the app store. Makes the advertising useless.
    • by cfalcon ( 779563 )

      Really? I found several webpages that spam opened the app store when visited, to whatever was being promoted. Way too often for it to be a fully bannable offense. I bet the developer just has to be like "ohh noooo i had no ideaaaaaa" and all is well.

      Where would I report abuse like this anyway?

  • Yet another great reason to block all ads under all circumstances. You control what displays on your property, not some remote server! Give them a pixel, they'll take root if they can.

  • Apple has supported the "sms:" URL scheme on iOS for years now. Here's a site with a how-to from 2013 [west-wind.com].

You don't have to know how the computer works, just how to work the computer.

Working...