Skip to content

“Meta-refreshes” may initiate phone calls

image of Nokia E90 CommunicatorYou may be familiar with so called meta-refreshing, a kludge that is often used in attempts to mimic HTTP redirection or to reload the current page after a predefined period of time. This story describes a potential problem related to user agent support for such refreshing.

An example

When the Nokia E90 (v 7.40.1.2) web browser arrives at a page with code such as:

<meta http-equiv="Refresh" content="1;URL=tel:+555555555">

…or:

<meta http-equiv="Refresh" content="1;URL=wtai://wp/mc;+5555555555">

…the phone prompts the user to call the number in question. There is also a second prompt (choice of voice, video or Internet call). This behaviour occurs whether the page is browsed to on the web, or opened as an emailed attachment.

Other phones and versions may or may not be affected. For all I know, their prompts may also differ in quality and quantity.


What? Why?

Because the prompts do exist, I tend to think that this phenomenon should not quite be considered a vulnerability, at least on this model. Nevertheless, I wonder whether extending the “meta-refresh” functionality to the tel and wtai schemes really is intended and reasonable, or whether Nokia might instead have overlooked the potential for abuse laid out e.g. in RFC 3966, section 11:

  • Calls may incur costs.
  • The URI may be used to place malicious or annoying calls.
  • A call will take the user’s phone line off-hook, thus preventing its use.
  • A call may reveal the user’s possibly unlisted phone number to the remote host in the caller identification data and may allow the attacker to correlate the user’s phone number with other information, such as an e-mail (sic) or IP address.

I have asked Nokia to comment on this issue, but have received no response.

Benefits probably outweighed by hazards

I am not aware of any benign web application that would depend on this somewhat bizarre ability to “meta-refresh” phones into placing PSTN/PLMN calls.

In contrast, it would be easy for a malicious web (perhaps also WAP) site operator to instruct browsers to try to “refresh” e.g. towards a premium rate telephone number. Additionally, junk email could be used to recruit victims. The average user may be surprised by the prompts, not understanding how they came about; this may impede him (or her) from reacting safely.

Are you affected?

If any of your browsers are able to place telephone calls, you should be aware of threats such as the one described above. You can easily construct two test pages (one for tel, and one for wtai) in order to determine how your browsers handle “meta-refresh” attempts that point to telephone numbers.

Should you encounter unsafe behaviour, you might want to disable automatic refreshing (if possible), and try to alert the software vendor to the problem. Please also post your comments here!

External links


Post a comment Trackbacks closed RSS 2.0 feed for these comments This entry (permalink) was posted on Saturday, April 26, 2008, at 16:26:33 by Thor Kottelin. Filed in Internetworking, Security and tagged , , , .

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*