______________________________________________________________________ -------------------------- NSOADV-2015-001 --------------------------- Jolla Phone tel URI Spoofing ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Title: Jolla Phone tel URI Spoofing Severity: Low Advisory ID: NSOADV-2015-001 Date Reported: 2015-01-29 Release Date: 2015-03-13 Author: Nikolas Sotiriu Website: http://sotiriu.de Twitter: http://twitter.com/nsoresearch Mail: nso-research at sotiriu.de URL: http://sotiriu.de/adv/NSOADV-2015-001.txt Vendor: Jolla (https://www.jolla.com/) Affected Products: Jolla Phone Affected Versions: <= Sailfish OS 1.1.1.27 (Vaarainj&#195;rvi) Remote Exploitable: Yes Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Description: ============ The Sailfish OS of the Jolla Phone contains a vulnerability that allows to spoof the phone number, passed by a tel URI through an A HREF of a website with some spaces (HTML &#32;). This could be used to trick a victim to dial a premium-rate telephone number, for example. Proof of Concept: ================= <a href="tel:0000000000[25xSpaces]Spoofed Text[38Spaces]aaaaa">Call</a> Test Site http://sotiriu.de/demos/callspoof.html Solution: ========= Install Version 1.1.2.16 (Yliaavanlampi) https://together.jolla.com/question/82037/release-notes-upgrade-112-yliaavanlampi-early-access/ Disclosure Timeline: ==================== 2015-01-28: Asked for a PGP Key (security@jolla.com) 2015-01-29: Got the PGP Key 2015-01-29: Sent vulnerability information to vendor 2015-01-29: Feedback that the vendor is looking into the problem 2015-01-30: Got detailed information about the patch process and timeline 2015-02-19: Got an E-Mail that the patched version is released 2015-03-13: Release of this advisory