Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,730,761 Members 42,224 Now Online
XDA Developers Android and Mobile Development Forum

[VULNERABILITY] Remote wipe via iframe USSD trigger

Tip us?
 
sts_fin
Old
(Last edited by sts_fin; 25th September 2012 at 01:21 PM.)
#11  
sts_fin's Avatar
Member
Thanks Meter 7
Posts: 70
Join Date: Dec 2008
Quote:
Originally Posted by sts_fin View Post
Easiest way to save yourself from this attack: set Chrome as your default browser, the TEL uri is not handled by chrome.

Just tested it on a SGS3 and Note... So just use chrome, and you are safe.

We have also contacted Samsung Finland about this.
Update: it works also with chrome... So no helping there.

Update to update: chrome parses the TEL: link but does not run the USSD.
http://androidsuomi.fi/ - Biggest Finnish Android news source
 
Lennyuk
Old
(Last edited by Lennyuk; 25th September 2012 at 01:22 PM.)
#12  
Lennyuk's Avatar
Recognized Developer
Thanks Meter 1366
Posts: 5,626
Join Date: Jan 2010
Location: Essex, England

 
DONATE TO ME
surely it depends if the browser is a system app or not?

If it is a system app chances are it has permissions to dial out, if not, it won't


EDIT:

If you are on an ICS rom please try this from whatever browsers you have installed and let me know which browser, if its a system or data app and what happens.

http://ninpo.qap.la/test/index.html

THAT LINK IS SAFE! IT TRIGGERS A SAFE USSD CODE NOT THE WIPE ONE
I am some sort of dev and a writer for LandofDroid. I am also a member of HTC Elevate. Was a member of the now defunct "Team Villain" aka VillainRom.

Guide to Unroot LG G3 for OTA
Chromecast System UI Crash Fix

http://forum.xda-developers.com/signaturepics/sigpic2315688_1.gif

Device info:
 
Current: LG G3, Google LG Nexus 5, Chromecast, Acer C720 Chromebook
Retired: HTC One, Google LG Nexus 4, Google Asus Nexus 7 Samsung Galaxy Note II Samsung Galaxy S III, Advent Vega (Tablet), Samsung Galaxy S II, Samsung Galaxy S, HTC Desire Z, HTC Desire HD, HTC Desire, HTC Hero

www.lennyuk.co.uk
Twitter | Google+
Like what I do? help me have a coffee<----- This is a link
 
Mopral
Old
(Last edited by Mopral; 25th September 2012 at 01:39 PM.)
#13  
Mopral's Avatar
Senior Member
Thanks Meter 341
Posts: 1,506
Join Date: Jan 2009
Location: Saint-Brieuc
Quote:
Originally Posted by Lennyuk View Post
surely it depends if the browser is a system app or not?

If it is a system app chances are it has permissions to dial out, if not, it won't


EDIT:

If you are on an ICS rom please try this from whatever browsers you have installed and let me know which browser, if its a system or data app and what happens.

http://ninpo.qap.la/test/index.html

THAT LINK IS SAFE! IT TRIGGERS A SAFE USSD CODE NOT THE WIPE ONE
Tried on Opera mobile:

-it ask me to click before triggering the code
-I click to launch the process
-then it just open the dialer with the code "11111" in it
Attached Thumbnails
Click image for larger version

Name:	Screenshot_2012-09-25-14-36-31.jpg
Views:	1068
Size:	19.2 KB
ID:	1353513  
If I help you, don't forget to hit the thanks button

Device: Samsung Galaxy SIII GT-I9300 32GB Marble White
Rom: Stock XXDLJ4 Modem: XXDLID
Kernel: Latest Siyah Kernel
 
toncij
Old
(Last edited by toncij; 25th September 2012 at 02:05 PM.)
#14  
Senior Member
Thanks Meter 22
Posts: 125
Join Date: Dec 2010
SGS3 GT-I9300 ICS 4.0.4

Firefox: opens Phone app dialer, but nothing within.
Opera: Automatically suppresses frame loading and displays the warning.
Chrome: Opens Phone app dialer and shortly displays it, but does nothing.
The Following User Says Thank You to toncij For This Useful Post: [ Click to Expand ]
 
edent
Old
#15  
Junior Member
Thanks Meter 1
Posts: 18
Join Date: Sep 2009
So, from what I can tell, this *only* affects certain "TouchWiz" devices.

On standard Android, it will lauch the dialler - but the user has to hit the dial key for anything to happen.

And, depending on their device, hitting dial will try to send the code as a USSD rather than processing it internally.

Until Samsung issue an update there's little you can do other than replace the TouchWiz dialler.
 
Richies113
Old
#16  
Junior Member
Thanks Meter 19
Posts: 14
Join Date: Jul 2010
It didnt work on the STANDARD GS3 browser.

The dialler opened up and there was NO number on the screen to dial. Hitting "call" brought up the last dialled number I had
 
chaoszcat
Old
(Last edited by chaoszcat; 25th September 2012 at 01:51 PM.)
#17  
Junior Member
Thanks Meter 0
Posts: 3
Join Date: Apr 2011
Location: Singapore
Quote:
Originally Posted by Lennyuk View Post
surely it depends if the browser is a system app or not?

If it is a system app chances are it has permissions to dial out, if not, it won't


EDIT:

If you are on an ICS rom please try this from whatever browsers you have installed and let me know which browser, if its a system or data app and what happens.

THAT LINK IS SAFE! IT TRIGGERS A SAFE USSD CODE NOT THE WIPE ONE
It's working on my HTC Desire, 2.3.4 rooted, default browser. Saw my IMEI.
It's also working on my Nexus S, 4.0.3, rooted, default browser. Saw my IMEI.

Then tried it on my SIII on 4.0.4, dialer shows up, but nothing happens.
 
rovar
Old
#18  
rovar's Avatar
Senior Member
Thanks Meter 90
Posts: 394
Join Date: Apr 2012
Location: Cancun
Quote:
Originally Posted by Lennyuk View Post
surely it depends if the browser is a system app or not?

If it is a system app chances are it has permissions to dial out, if not, it won't


EDIT:

If you are on an ICS rom please try this from whatever browsers you have installed and let me know which browser, if its a system or data app and what happens.

http://ninpo.qap.la/test/index.html

THAT LINK IS SAFE! IT TRIGGERS A SAFE USSD CODE NOT THE WIPE ONE
This affects firefox and chrome on an epic touch 4G.
And I'll see myself out

Tappin' Typin'
 
AladdinZ
Old
#19  
AladdinZ's Avatar
Senior Member
Thanks Meter 76
Posts: 172
Join Date: Feb 2012
Location: Male'
This is very serious and really bad, I just saw the news and checked if XDA members are aware and voila, everyone is worried. We really need a patch from Samsung as soon as possible. I wonder USSD codes exists in a lot of devices and not only Samsung phones, will it be vulnerable similar to us S3 users?
 
----------------------------------------------------------------------------------------------------------------------
Everytime I Close My Eyes......I Can't See Seriously!
----------------------------------------------------------------------------------------------------------------------
Current Device: SGS 4 GT-I9500 ROM: Arrow Kernel: Adam
 
ranwej
Old
#20  
Senior Member
Thanks Meter 2
Posts: 124
Join Date: Oct 2009
Android 4.1.1 and stock Phone app = safe. Code is displayed in phone app but nothing happens. But when i opened the link with touchpal dialer, IMEI has been displayed. When I clicked the link, system asked me which phone app i want to use to open. Either cancel it or choose a stock one and you are safe.

Tags
galaxy s3, iframe, samsung, ussd, wipe
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes