Facebook is pushing out an important update to its Messenger app, fixing a flaw that allowed potentially expensive phone calls to be made without user consent, says Tech Radar.

The security gap was first discovered last week by developer Andrei Neculaesei. Neculaesei found that Apple’s mobile iOS has a hole that allows developers to create a URL that automatically dials a phone number when the link is clicked. If that link is clicked inside a mobile web browser, a message will pop up asking if you want to proceed to make the call. However, “when a user opens a URL with the tel scheme in a native app, iOS does not display an alert and initiates dialing without further prompting the user” writes Apple in its developer reference guide.

What’s more, Neculaesei says hackers can create self-clicking telephone links (or “tel links”) in JavaScript, so your phone automatically calls the number embedded in a link without you ever clicking on it. If the URL is connected to a premium phone number, you’ll get charged as soon as the person at the other end of the line picks up.

So far, Facebook is the only company to respond to the threat, though the update hasn’t hit the App Store yet. The company told Tech Radar it would be releasing an update in the next few days. Google Plus, Gmail, and any other app that doesn’t have a custom framework for tel links are also susceptible to these kind of attacks.

To date, Apple hasn’t commented on the security flaw.