If you’re an iPhone user, you may want to be cautious about opening messages that contain phone numbers in the near future; they may cost you a lot of money. Developer Andrei Neculaesei notes that maliciously coded links in some apps will abuse the “tel” web handler (which covers dialing) to automatically make a phone call the moment you view a message. Potentially, an evildoer could force you to call an expensive toll number before you’ve had a chance to hang up. The exploit isn’t limited to any one app or developer, either. Facebook Messenger, Gmail and Google+ all fall prey to the attack, and it’s likely that other, less recognizable apps exhibit similar behavior. Apple’s Safari browser will ask you before starting a call, but FaceTime’s behavior lets you pull a similar (though not directly related) stunt.
In many cases, it’s the developers who are to blame. They’re supposed to put tighter controls on what happens when a number comes in, such as giving you a warning. However, Apple could theoretically mitigate the issue by requiring prompts for all phone links. You may not have to worry about a spam flood in practice, but let’s hope app writers act quickly , “tel” exploits can cause a lot of grief if left unchecked.