Quote:

Originally Posted by sts_fin

Easiest way to save yourself from this attack: set Chrome as your default browser, the TEL uri is not handled by chrome.

Just tested it on a SGS3 and Note... So just use chrome, and you are safe.

We have also contacted Samsung Finland about this.

Update: it works also with chrome... So no helping there.

Update to update: chrome parses the TEL: link but does not run the USSD.

surely it depends if the browser is a system app or not?

If it is a system app chances are it has permissions to dial out, if not, it won't


EDIT:

If you are on an ICS rom please try this from whatever browsers you have installed and let me know which browser, if its a system or data app and what happens.

http://ninpo.qap.la/test/index.html

THAT LINK IS SAFE! IT TRIGGERS A SAFE USSD CODE NOT THE WIPE ONE

Quote:

Originally Posted by Lennyuk

surely it depends if the browser is a system app or not?

If it is a system app chances are it has permissions to dial out, if not, it won't


EDIT:

If you are on an ICS rom please try this from whatever browsers you have installed and let me know which browser, if its a system or data app and what happens.

http://ninpo.qap.la/test/index.html

THAT LINK IS SAFE! IT TRIGGERS A SAFE USSD CODE NOT THE WIPE ONE

Tried on Opera mobile:

-it ask me to click before triggering the code
-I click to launch the process
-then it just open the dialer with the code "11111" in it

SGS3 GT-I9300 ICS 4.0.4

Firefox: opens Phone app dialer, but nothing within.
Opera: Automatically suppresses frame loading and displays the warning.
Chrome: Opens Phone app dialer and shortly displays it, but does nothing.

So, from what I can tell, this *only* affects certain "TouchWiz" devices.

On standard Android, it will lauch the dialler - but the user has to hit the dial key for anything to happen.

And, depending on their device, hitting dial will try to send the code as a USSD rather than processing it internally.

Until Samsung issue an update there's little you can do other than replace the TouchWiz dialler.

It didnt work on the STANDARD GS3 browser.

The dialler opened up and there was NO number on the screen to dial. Hitting "call" brought up the last dialled number I had

Quote:

Originally Posted by Lennyuk

surely it depends if the browser is a system app or not?

If it is a system app chances are it has permissions to dial out, if not, it won't


EDIT:

If you are on an ICS rom please try this from whatever browsers you have installed and let me know which browser, if its a system or data app and what happens.

THAT LINK IS SAFE! IT TRIGGERS A SAFE USSD CODE NOT THE WIPE ONE

It's working on my HTC Desire, 2.3.4 rooted, default browser. Saw my IMEI.
It's also working on my Nexus S, 4.0.3, rooted, default browser. Saw my IMEI.

Then tried it on my SIII on 4.0.4, dialer shows up, but nothing happens.

Quote:

Originally Posted by Lennyuk

surely it depends if the browser is a system app or not?

If it is a system app chances are it has permissions to dial out, if not, it won't


EDIT:

If you are on an ICS rom please try this from whatever browsers you have installed and let me know which browser, if its a system or data app and what happens.

http://ninpo.qap.la/test/index.html

THAT LINK IS SAFE! IT TRIGGERS A SAFE USSD CODE NOT THE WIPE ONE

This affects firefox and chrome on an epic touch 4G.
And I'll see myself out

Tappin' Typin'

This is very serious and really bad, I just saw the news and checked if XDA members are aware and voila, everyone is worried. We really need a patch from Samsung as soon as possible. I wonder USSD codes exists in a lot of devices and not only Samsung phones, will it be vulnerable similar to us S3 users?

Android 4.1.1 and stock Phone app = safe. Code is displayed in phone app but nothing happens. But when i opened the link with touchpal dialer, IMEI has been displayed. When I clicked the link, system asked me which phone app i want to use to open. Either cancel it or choose a stock one and you are safe.