5,603,646 Members 37,147 Now Online
XDA Developers Android and Mobile Development Forum

[VULNERABILITY] Remote wipe via iframe USSD trigger

Tip us?
 
chrisfu
Old
(Last edited by chrisfu; 25th September 2012 at 03:19 PM.) Reason: Update
#1  
chrisfu's Avatar
Member - OP
Thanks Meter 25
Posts: 63
Join Date: Aug 2006
Location: Manchester
Exclamation [VULNERABILITY] Remote wipe via iframe USSD trigger

UPDATE2: Lennyuk has confirmed that you shouldn't be affected by this so long as you're using the latest S3 rom.

Quote:
Originally Posted by Lennyuk View Post
Ok so confirmed, if you are on the latest S3 rom (and maybe other samsung phones) your phone should no longer auto-launch the USSD code to do a factory reset.
UPDATE: Here is a video of this vulnerability being performed at Ekoparty 2012 over the weekend: http://www.youtube.com/watch?v=Q2-0B04HPhs

I'll keep this quick in order to make sure everyone is aware of this exploit that has been published. I found it here: http://www.exquisitetweets.com/collection/tomscott/1762

Apparently the USSD code to wipe a S3 can be trigged in a browser iframe. Obviously this is bad bad BAD. Until there is a fix for this please keep your wits about you and avoid any hyperlinks to pages from untrusted sources.

Code:
the USSD code to factory data reset a Galaxy S3 is *2767*3855# can be triggered from browser like this: <frame src="tel:*2767*3855%23" />
MOD EDIT: workaround here
The Following 8 Users Say Thank You to chrisfu For This Useful Post: [ Click to Expand ]
 
kofiaa
Old
#2  
kofiaa's Avatar
Senior Member
Thanks Meter 267
Posts: 1,348
Join Date: Aug 2011
Location: Aberdeen
Quote:
Originally Posted by chrisfu View Post
I'll keep this quick in order to make sure everyone is aware of this exploit that has been published. I found it here: http://www.exquisitetweets.com/collection/tomscott/1762

Apparently the USSD code to wipe a S3 can be trigged in a browser iframe. Obviously this is bad bad BAD. Until there is a fix for this please keep your wits about you and avoid any hyperlinks to pages from untrusted sources.

Code:
the USSD code to factory data reset a Galaxy S3 is *2767*3855# can be triggered from browser like this:
What the... why should this even work?! They need to fix this asap. Does it mean the frames can trigger other s3 codes? And is this only for s3, Samsung phone, or android in general?

Sent from my GT-I9300 using xda app-developers app
Android lover since 2011

Nexus 4 & Nexus 7

Previous - Samsung Galaxy Ace > Samsung Galaxy Ace > Motorola Defy > Samsung Galaxy SIII
 
chrisfu
Old
(Last edited by chrisfu; 25th September 2012 at 12:39 PM.) Reason: Added research info
#3  
chrisfu's Avatar
Member - OP
Thanks Meter 25
Posts: 63
Join Date: Aug 2006
Location: Manchester
Quote:
Originally Posted by kofiaa View Post
What the... why should this even work?! They need to fix this asap. Does it mean the frames can trigger other s3 codes? And is this only for s3, Samsung phone, or android in general?

Sent from my GT-I9300 using xda app-developers app
Yep, you can trigger other USSD codes too. It's just that one that is the game-changer and will make Samsung sit up and take notice. Looking at the simplicity of it it's a wonder it's not been discovered before. Unconfirmed, but I'd imagine this would affect all Samsung Android devices.

Update: Just to let you know, I'm investigating a way of removing the "tel:" URL handler now on my S3. If others can also investigate, we should have a short-term fix for this soon within the community.
The Following User Says Thank You to chrisfu For This Useful Post: [ Click to Expand ]
 
port76
Old
#4  
port76's Avatar
Senior Member
Thanks Meter 111
Posts: 1,113
Join Date: Jan 2011

 
DONATE TO ME
does Samsung know about this has anyone informed them ? this is serious guys

Sent from my GT-I9300 using xda premium
 
chrisfu
Old
#5  
chrisfu's Avatar
Member - OP
Thanks Meter 25
Posts: 63
Join Date: Aug 2006
Location: Manchester
Quote:
Originally Posted by port76 View Post
does Samsung know about this has anyone informed them ? this is serious guys

Sent from my GT-I9300 using xda premium
I've tweeted @SamsungUK. They're as good as any other place to start. I'd suggest as many people bombard them as possible, just to get their attention. They can then let their primary Android devs know about this.

I've also tweeted @ChainfireXDA too, as he'd probably be quicker to react than Samsung. @supercurio is usually really good at helping out in such circumstances as well.
 
sts_fin
Old
(Last edited by sts_fin; 25th September 2012 at 12:57 PM.)
#6  
sts_fin's Avatar
Member
Thanks Meter 7
Posts: 70
Join Date: Dec 2008
Easiest way to save yourself from this attack: set Chrome as your default browser, the TEL uri is not handled by chrome.

Just tested it on a SGS3 and Note... So just use chrome, and you are safe.

We have also contacted Samsung Finland about this.
http://androidsuomi.fi/ - Biggest Finnish Android news source
The Following 4 Users Say Thank You to sts_fin For This Useful Post: [ Click to Expand ]
 
projectsome
Old
#7  
Senior Member
Thanks Meter 22
Posts: 247
Join Date: Nov 2010
Quote:
Originally Posted by sts_fin View Post
Easiest way to save yourself from this attack: set Chrome as your default browser, the TEL uri is not handled by chrome.

Just tested it on a SGS3 and Note... So just use chrome, and you are safe.

We have also contacted Samsung Finland about this.
Chrome is my default browser.

I normallly root, remove apps I won't use like the default browser, then unroot.
Previous: SGSIII White unrooted CM10
iphone 5 16gb black
iphone 5 32gb white
New: SGSIII LTE Titanium rooted Jellybam 7.7

To the mind that is still, the whole universe surrenders.
 
chrisfu
Old
#8  
chrisfu's Avatar
Member - OP
Thanks Meter 25
Posts: 63
Join Date: Aug 2006
Location: Manchester
Quote:
Originally Posted by sts_fin View Post
Easiest way to save yourself from this attack: set Chrome as your default browser, the TEL uri is not handled by chrome.

Just tested it on a SGS3 and Note... So just use chrome, and you are safe.

We have also contacted Samsung Finland about this.
Yep, I can confirm that with Chrome on ICS.

Just to add, there is some information here regarding intents within Android. Revoking CALL_PHONE permissions would serve to block this attack within any HTML-rendering app.

http://developer.android.com/guide/a...p-intents.html

If they don't affect normal calling or text messaging, the CALL and DIAL intents could be temporarily revoked, and this would fix the issue. It should just mean that "tel:" URI's within iframes and "a" tags wouldn't work within any app that renders HTML.
 
Ninfosho
Old
#9  
Junior Member
Thanks Meter 0
Posts: 5
Join Date: Dec 2010
hmmm... sorry but I dont understand what you are talking about..

whats the problem?
 
chrisfu
Old
#10  
chrisfu's Avatar
Member - OP
Thanks Meter 25
Posts: 63
Join Date: Aug 2006
Location: Manchester
Quote:
Originally Posted by Ninfosho View Post
hmmm... sorry but I dont understand what you are talking about..

whats the problem?
If you click a link which contains within it a line of malicious code, it can cause your SGS3 reset to factory defaults. Yep, a full wipe.

Tags
galaxy s3, iframe, samsung, ussd, wipe
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes