FORUMS

OnePlus 2 Bares All in New Tear Down Gallery

Last year, the launch of the OnePlus One, dubbed ‘the flagship killer’, visibly … more

Focus – An Attractive But Raw Gallery Replacement

Focus is an attractive new app built by XDA members Liam Spradlin … more

How to Root the LG G4 and Install TWRP Recovery – XDA TV

A rooting method has finally been found for the flagship LG G4. In this … more

New Xposed for Lollipop 5.0 Update Fixes Major Bugs

Senior Recognized Developer rovo89 has patched Xposed for Lollipop 5.0 to … more

[VULNERABILITY] Remote wipe via iframe USSD trigger

64 posts
Thanks Meter: 25
 
By chrisfu, Member on 25th September 2012, 12:22 PM
Post Reply Subscribe to Thread Email Thread
25th September 2012, 01:12 PM |#11  
sts_fin's Avatar
Member
Thanks Meter: 7
 
More
Quote:
Originally Posted by sts_fin

Easiest way to save yourself from this attack: set Chrome as your default browser, the TEL uri is not handled by chrome.

Just tested it on a SGS3 and Note... So just use chrome, and you are safe.

We have also contacted Samsung Finland about this.

Update: it works also with chrome... So no helping there.

Update to update: chrome parses the TEL: link but does not run the USSD.
Last edited by sts_fin; 25th September 2012 at 01:21 PM.
 
 
25th September 2012, 01:14 PM |#12  
Lennyuk's Avatar
Recognized Developer
Flag Essex, England
Thanks Meter: 1,677
 
Donate to Me
More
surely it depends if the browser is a system app or not?

If it is a system app chances are it has permissions to dial out, if not, it won't


EDIT:

If you are on an ICS rom please try this from whatever browsers you have installed and let me know which browser, if its a system or data app and what happens.

http://ninpo.qap.la/test/index.html

THAT LINK IS SAFE! IT TRIGGERS A SAFE USSD CODE NOT THE WIPE ONE
Last edited by Lennyuk; 25th September 2012 at 01:22 PM.
25th September 2012, 01:36 PM |#13  
Mopral's Avatar
Senior Member
Flag Saint-Brieuc
Thanks Meter: 342
 
More
Quote:
Originally Posted by Lennyuk

surely it depends if the browser is a system app or not?

If it is a system app chances are it has permissions to dial out, if not, it won't


EDIT:

If you are on an ICS rom please try this from whatever browsers you have installed and let me know which browser, if its a system or data app and what happens.

http://ninpo.qap.la/test/index.html

THAT LINK IS SAFE! IT TRIGGERS A SAFE USSD CODE NOT THE WIPE ONE

Tried on Opera mobile:

-it ask me to click before triggering the code
-I click to launch the process
-then it just open the dialer with the code "11111" in it
Attached Thumbnails
Click image for larger version

Name:	Screenshot_2012-09-25-14-36-31.jpg
Views:	1088
Size:	19.2 KB
ID:	1353513  
Last edited by Mopral; 25th September 2012 at 01:39 PM.
25th September 2012, 01:38 PM |#14  
Senior Member
Thanks Meter: 39
 
More
SGS3 GT-I9300 ICS 4.0.4

Firefox: opens Phone app dialer, but nothing within.
Opera: Automatically suppresses frame loading and displays the warning.
Chrome: Opens Phone app dialer and shortly displays it, but does nothing.
Last edited by toncij; 25th September 2012 at 02:05 PM.
The Following User Says Thank You to toncij For This Useful Post: [ View ]
25th September 2012, 01:40 PM |#15  
Member
Thanks Meter: 1
 
More
So, from what I can tell, this *only* affects certain "TouchWiz" devices.

On standard Android, it will lauch the dialler - but the user has to hit the dial key for anything to happen.

And, depending on their device, hitting dial will try to send the code as a USSD rather than processing it internally.

Until Samsung issue an update there's little you can do other than replace the TouchWiz dialler.
25th September 2012, 01:40 PM |#16  
Junior Member
Thanks Meter: 19
 
More
It didnt work on the STANDARD GS3 browser.

The dialler opened up and there was NO number on the screen to dial. Hitting "call" brought up the last dialled number I had
25th September 2012, 01:42 PM |#17  
Junior Member
Flag Singapore
Thanks Meter: 0
 
More
Quote:
Originally Posted by Lennyuk

surely it depends if the browser is a system app or not?

If it is a system app chances are it has permissions to dial out, if not, it won't


EDIT:

If you are on an ICS rom please try this from whatever browsers you have installed and let me know which browser, if its a system or data app and what happens.

THAT LINK IS SAFE! IT TRIGGERS A SAFE USSD CODE NOT THE WIPE ONE

It's working on my HTC Desire, 2.3.4 rooted, default browser. Saw my IMEI.
It's also working on my Nexus S, 4.0.3, rooted, default browser. Saw my IMEI.

Then tried it on my SIII on 4.0.4, dialer shows up, but nothing happens.
Last edited by chaoszcat; 25th September 2012 at 01:51 PM.
25th September 2012, 01:45 PM |#18  
rovar's Avatar
Senior Member
Flag Cancun
Thanks Meter: 90
 
More
Quote:
Originally Posted by Lennyuk

surely it depends if the browser is a system app or not?

If it is a system app chances are it has permissions to dial out, if not, it won't


EDIT:

If you are on an ICS rom please try this from whatever browsers you have installed and let me know which browser, if its a system or data app and what happens.

http://ninpo.qap.la/test/index.html

THAT LINK IS SAFE! IT TRIGGERS A SAFE USSD CODE NOT THE WIPE ONE

This affects firefox and chrome on an epic touch 4G.
And I'll see myself out

Tappin' Typin'
25th September 2012, 01:56 PM |#19  
AladdinZ's Avatar
Senior Member
Flag Devil's Lair
Thanks Meter: 79
 
More
This is very serious and really bad, I just saw the news and checked if XDA members are aware and voila, everyone is worried. We really need a patch from Samsung as soon as possible. I wonder USSD codes exists in a lot of devices and not only Samsung phones, will it be vulnerable similar to us S3 users?
25th September 2012, 01:56 PM |#20  
Senior Member
Thanks Meter: 2
 
More
Android 4.1.1 and stock Phone app = safe. Code is displayed in phone app but nothing happens. But when i opened the link with touchpal dialer, IMEI has been displayed. When I clicked the link, system asked me which phone app i want to use to open. Either cancel it or choose a stock one and you are safe.
25th September 2012, 01:59 PM |#21  
Member
Thanks Meter: 5
 
More
This works on my Galaxy S2 4.0.4. It displays the IMEI on stock, dolhpin and chrome-browser. Can't get it to work on S3 though with stock browser at least.

Read More
Post Reply Subscribe to Thread

Tags
galaxy s3, iframe, samsung, ussd, wipe
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes