• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

Remote Wipe Vulnerability

Search This thread

majatt

Senior Member
Jan 26, 2009
56
3
Hi Guys, the browser hack that wipes Samsung phones is not limited to just those handsets. These guys do a better job of describing the whole thing:
http://www.theverge.com/2012/9/26/3412432/samsung-touchwiz-remote-wipe-vulnerability-android-dialer

Here is a direct link to the exploit test:
http://dylanreeve.com/phone.php

I'm running MavRom4 with the China telco radio image and my device is vulnerable. Just wanted to share the info so people are aware; having two dialers and no default will force the exploit to ask you to actively pick a dialer; this would neutralize most cases but that is a pretty annoying work around.

Maybe people can post D3 Roms that aren't vulnerable.
 

doogald

Senior Member
May 27, 2010
1,387
337
I'm running MavRom4 with the China telco radio image and my device is vulnerable. Just wanted to share the info so people are aware; having two dialers and no default will force the exploit to ask you to actively pick a dialer; this would neutralize most cases but that is a pretty annoying work around.

Also, installing DialerOne and making it the default will protect you as well - you do not have to leave it without a default dialer set. DialerOne is actually a good dialer - I used to use it with my Droid Eris with CyanogenMod ROMs, in order to have the dial by name function that the Sense dialer supported back. And you can still leave the stock dialer set in a home page or on the launcher dock - it will still work if you call it up. It will not be called up if you launch the dialer from another app, though, if you make DialerOne the default.

The stock dialer is vulnerable - a predictable result, based on the vulnerability of MavRom, but I did want to say that I tested it. I haven't tested any other ROM - at this point, I don't have much time to try some out, and I think I recently deleted my most recent Liberty and Bionic Nandroid backups.

Let's see how long before Moto releases a critical patch update for stock. :rolleyes:
 

spunker88

Senior Member
Sep 8, 2006
1,319
335
Upstate NY
Thanks, this is good to know. I thought it was only Samsung phones that had the issue, but since I'm still on stock 2.3.4 it appears I'm vulnerable. I have GrooveIP Lite installed on my phone, an app that allows you to make voice calls with using your Google Voice number. With this app installed I get a complete action using Dialer or GrooveIP window so I should be safe if I get a random popup Ill be sure to not select Dialer.
 

jerrt010

Senior Member
Nov 7, 2010
50
5
I heard about this "wipe" problem and when I saw it was just passing dialer codes to the fone I knew it would affect more than just Samsung.

Does anyone know if they have a list started of fones that might be vulnerable?
 

doogald

Senior Member
May 27, 2010
1,387
337
I read somewhere (though haven't tested it...) that the D3 does not have a dialer code that resets the phone, as the Samsung phones do/did. So, the D3 fails the display the IMEI test, but I believe that the reset code does not work with the D3.
 

sloosecannon

Senior Member
Sep 10, 2012
589
162
FYI: CM10 kexec isn't vulnerable. Probably b/c it's JB (I think they fixed the vulnerability in JB). I go to the site and dialer pops up w/ *#06# No IMEI displayed

Sent from my AOKP JB GT-P3113 using Tapatalk