Specially crafted web sites can launch iPhone and iPod Touch apps without the Safari browser asking the user for permission when certain URL protocol handlers (URL schemes) are called. For instance, according to security researcher Nitesh Dhanjani, a web site can use the iFrame <iframe src=”skype://14085555555?call”></iframe> to launch a Skype app and automatically call a number – provided that the user has saved Skype access data. Criminals would also be able to play around with a number of other applications. For a list of the protocols currently used in the iPhone, see the URL scheme index.
Read the full story here.