手机的tel:url安全漏洞记录

http://dylanreeve.com/phone.php

In brief it works like this:

• Phones support special dialing codes called USSDs that can display certain information or perform specific special features. Among these are common ones (*#06# to display IMEI number) and phone specific ones (including, on some phones, a factory reset code). 
• There is a URL scheme prefix called tel: which can, in theory, be used to hyperlink to phone numbers. The idea being that clicking on atel: URL will initiate the phone's dialer to call that number.
• In some phones the dialer will automatically process the incoming number. If it's a USSD code then it will be handled exactly as if it had be keyed in manually - requiring no user intervention to execute.
• A tel: URL can be used by a hostile website as the SRC for an iframe (or potentially other resources like stylesheets or scripts I guess). It may then be loaded and acted upon with no user intervention at all.

A video demonstrating the process has been widely circulated - it also details some other vectors to deliver thetel: URL - including WAP Push SMS, QR Code and NFC. All of these processes have the same end result.