I’ll make it short:
If you added this in your malicious page:
<iframe src=”tel:1-408-555-5555”></iframe>
You get this:
Which is a confirmation whether or not you want to call that number.
But when you do this in your malicious page:
<iframe src=”skype://14085555555?call"></iframe>
You get this:
Which is Skype making a phone call (Where Skype should be running anyway).
It’s not just an iOS thing only. In fact, It’s mostly a Skype thing and they should place a confirmation message. But still, iOS should do something about it.
More details about the vulnerability can be found in the source below.