[VULNERABILITY] Remote wipe via iframe USSD trigger

Search This thread

chrisfu

Senior Member
Aug 30, 2006
64
24
Manchester
UPDATE2: Lennyuk has confirmed that you shouldn't be affected by this so long as you're using the latest S3 rom.

Ok so confirmed, if you are on the latest S3 rom (and maybe other samsung phones) your phone should no longer auto-launch the USSD code to do a factory reset.

UPDATE: Here is a video of this vulnerability being performed at Ekoparty 2012 over the weekend: http://www.youtube.com/watch?v=Q2-0B04HPhs

I'll keep this quick in order to make sure everyone is aware of this exploit that has been published. I found it here: http://www.exquisitetweets.com/collection/tomscott/1762

Apparently the USSD code to wipe a S3 can be trigged in a browser iframe. Obviously this is bad bad BAD. Until there is a fix for this please keep your wits about you and avoid any hyperlinks to pages from untrusted sources.

Code:
the USSD code to factory data reset a Galaxy S3 is *2767*3855# can be triggered from browser like this: <frame src="tel:*2767*3855%23" />

MOD EDIT: workaround here
 
Last edited:

kofiaa

Senior Member
Aug 27, 2011
1,356
268
Accra
I'll keep this quick in order to make sure everyone is aware of this exploit that has been published. I found it here: http://www.exquisitetweets.com/collection/tomscott/1762

Apparently the USSD code to wipe a S3 can be trigged in a browser iframe. Obviously this is bad bad BAD. Until there is a fix for this please keep your wits about you and avoid any hyperlinks to pages from untrusted sources.

Code:
the USSD code to factory data reset a Galaxy S3 is *2767*3855# can be triggered from browser like this:

What the... why should this even work?! They need to fix this asap. Does it mean the frames can trigger other s3 codes? And is this only for s3, Samsung phone, or android in general?

Sent from my GT-I9300 using xda app-developers app
 

chrisfu

Senior Member
Aug 30, 2006
64
24
Manchester
What the... why should this even work?! They need to fix this asap. Does it mean the frames can trigger other s3 codes? And is this only for s3, Samsung phone, or android in general?

Sent from my GT-I9300 using xda app-developers app

Yep, you can trigger other USSD codes too. It's just that one that is the game-changer and will make Samsung sit up and take notice. Looking at the simplicity of it it's a wonder it's not been discovered before. Unconfirmed, but I'd imagine this would affect all Samsung Android devices.

Update: Just to let you know, I'm investigating a way of removing the "tel:" URL handler now on my S3. If others can also investigate, we should have a short-term fix for this soon within the community.
 
Last edited:
  • Like
Reactions: cowbutt

port76

Senior Member
Jan 25, 2011
1,338
160
does Samsung know about this has anyone informed them ? this is serious guys

Sent from my GT-I9300 using xda premium
 

chrisfu

Senior Member
Aug 30, 2006
64
24
Manchester
does Samsung know about this has anyone informed them ? this is serious guys

Sent from my GT-I9300 using xda premium

I've tweeted @SamsungUK. They're as good as any other place to start. I'd suggest as many people bombard them as possible, just to get their attention. They can then let their primary Android devs know about this.

I've also tweeted @ChainfireXDA too, as he'd probably be quicker to react than Samsung. ;) @supercurio is usually really good at helping out in such circumstances as well.
 

projectsome

Senior Member
Nov 1, 2010
290
35
Easiest way to save yourself from this attack: set Chrome as your default browser, the TEL uri is not handled by chrome.

Just tested it on a SGS3 and Note... So just use chrome, and you are safe.

We have also contacted Samsung Finland about this.

Chrome is my default browser.

I normallly root, remove apps I won't use like the default browser, then unroot.
 

chrisfu

Senior Member
Aug 30, 2006
64
24
Manchester
Easiest way to save yourself from this attack: set Chrome as your default browser, the TEL uri is not handled by chrome.

Just tested it on a SGS3 and Note... So just use chrome, and you are safe.

We have also contacted Samsung Finland about this.

Yep, I can confirm that with Chrome on ICS.

Just to add, there is some information here regarding intents within Android. Revoking CALL_PHONE permissions would serve to block this attack within any HTML-rendering app.

http://developer.android.com/guide/appendix/g-app-intents.html

If they don't affect normal calling or text messaging, the CALL and DIAL intents could be temporarily revoked, and this would fix the issue. It should just mean that "tel:" URI's within iframes and "a" tags wouldn't work within any app that renders HTML.
 

sts_fin

Senior Member
Dec 15, 2008
75
7
www.androidsuomi.fi
Easiest way to save yourself from this attack: set Chrome as your default browser, the TEL uri is not handled by chrome.

Just tested it on a SGS3 and Note... So just use chrome, and you are safe.

We have also contacted Samsung Finland about this.

Update: it works also with chrome... So no helping there.

Update to update: chrome parses the TEL: link but does not run the USSD.
 
Last edited:

Lennyuk

Inactive Recognized Developer
Jan 26, 2010
6,327
1,829
Suffolk, England
surely it depends if the browser is a system app or not?

If it is a system app chances are it has permissions to dial out, if not, it won't


EDIT:

If you are on an ICS rom please try this from whatever browsers you have installed and let me know which browser, if its a system or data app and what happens.

http://ninpo.qap.la/test/index.html

THAT LINK IS SAFE! IT TRIGGERS A SAFE USSD CODE NOT THE WIPE ONE
 
Last edited:

Mopral

Senior Member
Jan 6, 2009
1,572
343
Saint-Brieuc
surely it depends if the browser is a system app or not?

If it is a system app chances are it has permissions to dial out, if not, it won't


EDIT:

If you are on an ICS rom please try this from whatever browsers you have installed and let me know which browser, if its a system or data app and what happens.

http://ninpo.qap.la/test/index.html

THAT LINK IS SAFE! IT TRIGGERS A SAFE USSD CODE NOT THE WIPE ONE

Tried on Opera mobile:

-it ask me to click before triggering the code
-I click to launch the process
-then it just open the dialer with the code "11111" in it
 

Attachments

  • Screenshot_2012-09-25-14-36-31.jpg
    Screenshot_2012-09-25-14-36-31.jpg
    19.2 KB · Views: 1,128
Last edited:

toncij

Senior Member
Dec 18, 2010
197
39
SGS3 GT-I9300 ICS 4.0.4

Firefox: opens Phone app dialer, but nothing within.
Opera: Automatically suppresses frame loading and displays the warning.
Chrome: Opens Phone app dialer and shortly displays it, but does nothing.
 
Last edited:
  • Like
Reactions: Llantha

edent

Member
Sep 14, 2009
49
10
shkspr.mobi
So, from what I can tell, this *only* affects certain "TouchWiz" devices.

On standard Android, it will lauch the dialler - but the user has to hit the dial key for anything to happen.

And, depending on their device, hitting dial will try to send the code as a USSD rather than processing it internally.

Until Samsung issue an update there's little you can do other than replace the TouchWiz dialler.
 

Richies113

Member
Jul 10, 2010
14
19
It didnt work on the STANDARD GS3 browser.

The dialler opened up and there was NO number on the screen to dial. Hitting "call" brought up the last dialled number I had
 

chaoszcat

New member
Apr 27, 2011
3
0
Singapore
surely it depends if the browser is a system app or not?

If it is a system app chances are it has permissions to dial out, if not, it won't


EDIT:

If you are on an ICS rom please try this from whatever browsers you have installed and let me know which browser, if its a system or data app and what happens.

THAT LINK IS SAFE! IT TRIGGERS A SAFE USSD CODE NOT THE WIPE ONE

It's working on my HTC Desire, 2.3.4 rooted, default browser. Saw my IMEI.
It's also working on my Nexus S, 4.0.3, rooted, default browser. Saw my IMEI.

Then tried it on my SIII on 4.0.4, dialer shows up, but nothing happens.
 
Last edited:

rovar

Senior Member
Apr 19, 2012
420
91
Cancun
surely it depends if the browser is a system app or not?

If it is a system app chances are it has permissions to dial out, if not, it won't


EDIT:

If you are on an ICS rom please try this from whatever browsers you have installed and let me know which browser, if its a system or data app and what happens.

http://ninpo.qap.la/test/index.html

THAT LINK IS SAFE! IT TRIGGERS A SAFE USSD CODE NOT THE WIPE ONE

This affects firefox and chrome on an epic touch 4G.
And I'll see myself out :(

Tappin' Typin'
 

AladdinZ

Senior Member
Feb 1, 2012
195
80
Devil's Lair
This is very serious and really bad, I just saw the news and checked if XDA members are aware and voila, everyone is worried. We really need a patch from Samsung as soon as possible. I wonder USSD codes exists in a lot of devices and not only Samsung phones, will it be vulnerable similar to us S3 users?
 

ranwej

Senior Member
Oct 2, 2009
173
200
Android 4.1.1 and stock Phone app = safe. Code is displayed in phone app but nothing happens. But when i opened the link with touchpal dialer, IMEI has been displayed. When I clicked the link, system asked me which phone app i want to use to open. Either cancel it or choose a stock one and you are safe.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 8
    UPDATE2: Lennyuk has confirmed that you shouldn't be affected by this so long as you're using the latest S3 rom.

    Ok so confirmed, if you are on the latest S3 rom (and maybe other samsung phones) your phone should no longer auto-launch the USSD code to do a factory reset.

    UPDATE: Here is a video of this vulnerability being performed at Ekoparty 2012 over the weekend: http://www.youtube.com/watch?v=Q2-0B04HPhs

    I'll keep this quick in order to make sure everyone is aware of this exploit that has been published. I found it here: http://www.exquisitetweets.com/collection/tomscott/1762

    Apparently the USSD code to wipe a S3 can be trigged in a browser iframe. Obviously this is bad bad BAD. Until there is a fix for this please keep your wits about you and avoid any hyperlinks to pages from untrusted sources.

    Code:
    the USSD code to factory data reset a Galaxy S3 is *2767*3855# can be triggered from browser like this: <frame src="tel:*2767*3855%23" />

    MOD EDIT: workaround here
    6
    The problem - and a solution

    The issue has nothing to do with the browser. I've tested on ICS with Chrome, default browser and Dolphin - all behave the same way.

    Test here: dylanreeve DOT com/phone.php (uses IMEI display USSD - it's totally safe).

    The issue is with the stock dialer. If you can prevent that dialer from handling the tel: URL then you can either prevent or at least intervene in attack attempts. So the solution is... Install another dialer (probably any other dialer).

    dylanreeve.posterous DOT com/remote-ussd-attack

    (I can't post URLs yet)
    4
    Easiest way to save yourself from this attack: set Chrome as your default browser, the TEL uri is not handled by chrome.

    Just tested it on a SGS3 and Note... So just use chrome, and you are safe.

    We have also contacted Samsung Finland about this.
    2
    I can confirm this works on my G300 phone (and most likely others too) by using <meta http-equiv="REFRESH" content="0;url=tel:*%2306%23"></HEAD> instead.

    You can test if your phone is vulnerable here : 198.100.157.97/test.html

    edit : can a mod please turn this into a link? since I don't have enough posts to do so. thanks.
    2
    It's looking like this is the case. Do you have a source for that information?

    I spoke with the guy who told samsung to patch it, he told them about 3 months ago.

    he didn't tell anyone else.