Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

[VULNERABILITY] Remote wipe via iframe USSD trigger

OP chrisfu

25th September 2012, 02:12 PM   |  #11  
sts_fin's Avatar
Member
Thanks Meter: 7
 
70 posts
Join Date:Joined: Dec 2008
More
Quote:
Originally Posted by sts_fin

Easiest way to save yourself from this attack: set Chrome as your default browser, the TEL uri is not handled by chrome.

Just tested it on a SGS3 and Note... So just use chrome, and you are safe.

We have also contacted Samsung Finland about this.

Update: it works also with chrome... So no helping there.

Update to update: chrome parses the TEL: link but does not run the USSD.
Last edited by sts_fin; 25th September 2012 at 02:21 PM.
25th September 2012, 02:14 PM   |  #12  
Lennyuk's Avatar
Recognized Developer
Flag Essex, England
Thanks Meter: 1,644
 
6,071 posts
Join Date:Joined: Jan 2010
Donate to Me
More
surely it depends if the browser is a system app or not?

If it is a system app chances are it has permissions to dial out, if not, it won't


EDIT:

If you are on an ICS rom please try this from whatever browsers you have installed and let me know which browser, if its a system or data app and what happens.

http://ninpo.qap.la/test/index.html

THAT LINK IS SAFE! IT TRIGGERS A SAFE USSD CODE NOT THE WIPE ONE
Last edited by Lennyuk; 25th September 2012 at 02:22 PM.
25th September 2012, 02:36 PM   |  #13  
Mopral's Avatar
Senior Member
Flag Saint-Brieuc
Thanks Meter: 341
 
1,506 posts
Join Date:Joined: Jan 2009
More
Quote:
Originally Posted by Lennyuk

surely it depends if the browser is a system app or not?

If it is a system app chances are it has permissions to dial out, if not, it won't


EDIT:

If you are on an ICS rom please try this from whatever browsers you have installed and let me know which browser, if its a system or data app and what happens.

http://ninpo.qap.la/test/index.html

THAT LINK IS SAFE! IT TRIGGERS A SAFE USSD CODE NOT THE WIPE ONE

Tried on Opera mobile:

-it ask me to click before triggering the code
-I click to launch the process
-then it just open the dialer with the code "11111" in it
Attached Thumbnails
Click image for larger version

Name:	Screenshot_2012-09-25-14-36-31.jpg
Views:	1072
Size:	19.2 KB
ID:	1353513  
Last edited by Mopral; 25th September 2012 at 02:39 PM.
25th September 2012, 02:38 PM   |  #14  
Senior Member
Thanks Meter: 39
 
192 posts
Join Date:Joined: Dec 2010
SGS3 GT-I9300 ICS 4.0.4

Firefox: opens Phone app dialer, but nothing within.
Opera: Automatically suppresses frame loading and displays the warning.
Chrome: Opens Phone app dialer and shortly displays it, but does nothing.
Last edited by toncij; 25th September 2012 at 03:05 PM.
The Following User Says Thank You to toncij For This Useful Post: [ View ]
25th September 2012, 02:40 PM   |  #15  
Junior Member
Thanks Meter: 1
 
19 posts
Join Date:Joined: Sep 2009
So, from what I can tell, this *only* affects certain "TouchWiz" devices.

On standard Android, it will lauch the dialler - but the user has to hit the dial key for anything to happen.

And, depending on their device, hitting dial will try to send the code as a USSD rather than processing it internally.

Until Samsung issue an update there's little you can do other than replace the TouchWiz dialler.
25th September 2012, 02:40 PM   |  #16  
Junior Member
Thanks Meter: 19
 
14 posts
Join Date:Joined: Jul 2010
It didnt work on the STANDARD GS3 browser.

The dialler opened up and there was NO number on the screen to dial. Hitting "call" brought up the last dialled number I had
25th September 2012, 02:42 PM   |  #17  
Junior Member
Flag Singapore
Thanks Meter: 0
 
3 posts
Join Date:Joined: Apr 2011
More
Quote:
Originally Posted by Lennyuk

surely it depends if the browser is a system app or not?

If it is a system app chances are it has permissions to dial out, if not, it won't


EDIT:

If you are on an ICS rom please try this from whatever browsers you have installed and let me know which browser, if its a system or data app and what happens.

THAT LINK IS SAFE! IT TRIGGERS A SAFE USSD CODE NOT THE WIPE ONE

It's working on my HTC Desire, 2.3.4 rooted, default browser. Saw my IMEI.
It's also working on my Nexus S, 4.0.3, rooted, default browser. Saw my IMEI.

Then tried it on my SIII on 4.0.4, dialer shows up, but nothing happens.
Last edited by chaoszcat; 25th September 2012 at 02:51 PM.
25th September 2012, 02:45 PM   |  #18  
rovar's Avatar
Senior Member
Flag Cancun
Thanks Meter: 90
 
394 posts
Join Date:Joined: Apr 2012
More
Quote:
Originally Posted by Lennyuk

surely it depends if the browser is a system app or not?

If it is a system app chances are it has permissions to dial out, if not, it won't


EDIT:

If you are on an ICS rom please try this from whatever browsers you have installed and let me know which browser, if its a system or data app and what happens.

http://ninpo.qap.la/test/index.html

THAT LINK IS SAFE! IT TRIGGERS A SAFE USSD CODE NOT THE WIPE ONE

This affects firefox and chrome on an epic touch 4G.
And I'll see myself out

Tappin' Typin'
25th September 2012, 02:56 PM   |  #19  
AladdinZ's Avatar
Senior Member
Flag Male'
Thanks Meter: 77
 
173 posts
Join Date:Joined: Feb 2012
More
This is very serious and really bad, I just saw the news and checked if XDA members are aware and voila, everyone is worried. We really need a patch from Samsung as soon as possible. I wonder USSD codes exists in a lot of devices and not only Samsung phones, will it be vulnerable similar to us S3 users?
25th September 2012, 02:56 PM   |  #20  
Senior Member
Thanks Meter: 2
 
124 posts
Join Date:Joined: Oct 2009
Android 4.1.1 and stock Phone app = safe. Code is displayed in phone app but nothing happens. But when i opened the link with touchpal dialer, IMEI has been displayed. When I clicked the link, system asked me which phone app i want to use to open. Either cancel it or choose a stock one and you are safe.

Post Reply Subscribe to Thread

Tags
galaxy s3, iframe, samsung, ussd, wipe
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes