A new hack has reopened an 8-year-old iPhone security loophole that Apple thought it had fixed back with iPhone OS 2.2. This is not one of those times when a theoretical attack gets identified and blocked quickly by Apple. On the contrary, it's a hack that actually exists right now, and it can have some serious real-world repercussions, so this is something all iPhone users need to be aware of.
As an iPhone user, the main thing you need to know is that this hack can force your phone to dial any number, while locking you out of the in-call UI to prevent you from hanging up, and all of this can happen if you just tap an infected link.
The hack exploits a security hole in iOS's WebView, which is what apps like Twitter and Facebook use to render webpages without having to open the link externally in Safari. So basically, if you're using any app that has its own "built-in" web browser, any link you tap could make you fall victim to the attack.
18-year-old iPhone app developer Meetkumar Hiteshbhai Desai was brought up on felony charges in Arizona after allegedly setting up a website that used this exploit. According to the police report, Desai created a website that used this malicious code to make other users' phones dial 911 repeatedly. He then shared the link on Twitter, and after several unsuspecting iPhone users visited the page, the Maricopa County Sheriff's office received over 100 hang-up calls to 911 in just a few minutes.
So you can see how this could pose a huge risk to public safety, but the hack has even more sinister potential. Theoretically, an online stalker could set up a link that forced other phones to dial his or her number, then simply use caller ID to associate your online username with your personal phone number. And because the hack can lock you out of the phone interface, you wouldn't be able to hang up before the call went through. It could also be used for charged calls to make a quick buck.
This bug does not affect Safari, Chrome, or any third-party web browser for iOS—just the system WebView. That means that you can safely surf the internet if you stay inside your preferred web browser.
The problem comes when you tap a link from within an app that is not a web browser. Some apps might open the link externally in Safari, which wouldn't cause any problems. But other apps use the vulnerable WebView to render pages without opening Safari, so this is where you have to be careful.
So if you want to be extra safe, don't tap any links unless you're using Safari. For a more reasonable approach, you could simply avoid tapping links in any non-Safari app unless you trust the person or website who posted the link. You could also press and hold on hyperlinks to the URL, or use 3D Touch to preview it, which can help you determine if a link is legit or possibly malicious.
Apple already tried to squash this bug once, but it didn't stay dead, which means we can't assume that a security fix will be pushed out quickly this time. So until we see an iOS update that specifically mentions fixing this bug, we'll just have to be a bit more careful while tapping links in third-party apps.