______________________________________________________________________
-------------------------- NSOADV-2015-001 ---------------------------
Jolla Phone tel URI Spoofing
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Title: Jolla Phone tel URI Spoofing
Severity: Low
Advisory ID: NSOADV-2015-001
Date Reported: 2015-01-29
Release Date: 2015-03-13
Author: Nikolas Sotiriu
Website: http://sotiriu.de
Twitter: http://twitter.com/nsoresearch
Mail: nso-research at sotiriu.de
URL: http://sotiriu.de/adv/NSOADV-2015-001.txt
Vendor: Jolla (https://www.jolla.com/)
Affected Products: Jolla Phone
Affected Versions: <= Sailfish OS 1.1.1.27 (VaarainjÃrvi)
Remote Exploitable: Yes
Patch Status: Vendor released a patch (See Solution)
Discovered by: Nikolas Sotiriu
Description:
============
The Sailfish OS of the Jolla Phone contains a vulnerability that allows
to spoof the phone number, passed by a tel URI through an A HREF of a
website with some spaces (HTML  ).
This could be used to trick a victim to dial a premium-rate telephone
number, for example.
Proof of Concept:
=================
<a href="tel:0000000000[25xSpaces]Spoofed Text[38Spaces]aaaaa">Call</a>
Test Site http://sotiriu.de/demos/callspoof.html
Solution:
=========
Install Version 1.1.2.16 (Yliaavanlampi)
https://together.jolla.com/question/82037/release-notes-upgrade-112-yliaavanlampi-early-access/
Disclosure Timeline:
====================
2015-01-28: Asked for a PGP Key (security@jolla.com)
2015-01-29: Got the PGP Key
2015-01-29: Sent vulnerability information to vendor
2015-01-29: Feedback that the vendor is looking into the problem
2015-01-30: Got detailed information about the patch process and timeline
2015-02-19: Got an E-Mail that the patched version is released
2015-03-13: Release of this advisory