Hello. I'm the guy who put this collection together. I've since tried to update it, and to hit 'delete' on it to avoid spreading misinformation, but Exquisite Tweets is still caching the original version. Mea culpa: I didn't do the research before passing it on.
There's been a lot of back-and-forth over whether it's true or not (check @pof's timeline for such), and a hell of a lot of people sending it on without double-checking. Myself included.
There is clearly a big security bug here (see the video linked), but it's extremely questionable as to whether it can be activated from a web page or whether it requires a bit of social engineering too!
[Edited to add: and just as I write this, @jwheare has cleared the cache and fixed the bug in Exquisite Tweets. Hopefully that should nip this in the bud.]
I tried reproducing it using a "USSD" that works on my venerable Nexus One (radio debug - * # * # 4636 # * # *), but on entering dialler app the input box is empty. This might simply mean the debug activity was started and got focus before the dialler app had its focus set, so if another such code triggered factory reset, might definitely still work.
I wrote a trivial webpage (using the show IMEI USSD * #06#), served from my desktop with Lighttpd. It certainly can be executed via a simple web page using a frameset on both Chrome & Browser, and there's no prompt. Works on a Huawei running 2.3, a Galaxy S2 running ICS, and an HTC.
1. Open the above link on your phone
2. Install the application (it requires no special permissions)
3. Try this IMEI test: http://jsfiddle.net/kKFn8/
4. Check the box to make "Auto-Reset Blocker" the default action
5. Auto-Reset Blocker will show you the malicious number
6. Open this safe telephone number test: http://jsfiddle.net/tLHpw/
7. Auto-Reset Blocker will show the safe number and you will be asked which dialer to use
8. Select your normal dialer
9. Your normal dialer will open with the safe number
Again, please give it a try. If people like it, I will see about setting up an Android Market account to distribute it.
I tested it with my S2 and it works, but I had to put the files in a local web server because for some reason, the malicious code didn't work from jsfiddle.net
So I did the following:
1- I tested the link provided by kristofferR (http://kristofferr.com/samsung.html).
2- Made 2 local copies
3- Edited one of the copies, replaceing the IMEI code with a normal phone number.
4- Placed both files in a local web server.
5- Accesed the files from my phone, and got the expected results with your App.
Works great. However, the immediate select app popup if it's "safe" means that the "This phone number appears safe" text is shadowed on my phone. Perhaps add a "dial" button?
Still, please set up a Market account, this would be great!
If I was really bored and feeling malicious, printing QR codes to point to this "exploit" and then pasting them over QR codes on random advertisements in the streets seems like a terrible idea.
This is pretty darn dangerous already, but I would note you may not need a website at all for this. From my understanding, the problem is in the stock dialer, and it automatically executes when the number is entered. I will quietly note here that, as part of the standard, QR codes can embed phone numbers. I do not have a samsung phone to test this with. Anyone?
Check the html in your desktop browser first, for all you know I might as well be a malicious douchebag.
The exploit seems to require a stock Samsung Galaxy dialer, works fine on my cheap Samsung Galaxy Y but not on my friend's modded S3 with a vanilla Android dialer.
That's a pretty big flaw, there's plenty of companies with QR Codes printed on posters etc, only takes one malicious reprint or sticker overlay. I imagine Samsung will probably take fast action on it. Well, hopefully fast action.
As far as I can tell, the problem is with the Samsung Dialler application that's part of TouchWiz.
If you install a second dialler application via the Play Store, you'll initially be asked which dialler app you want to use before the code is executed - which can prevent execution.
There's a strong possibility that other dialler applications aren't affected (i.e. stock / 3rd party).
I just tested it on a Samsung Galaxy S3, in several forms (as src in link, script, img, video and object elements, as well as the href in an a element). Nothing happened here.
Hah! A friend of mine back in the BBS days had a last name that ended in a certain pair of characters that would trigger a zmodem download. Those were fun times, weren't they?
This is for real. Just confirmed the auto-execution of an USSD code on a Samsung Galaxy Mini II. Try the link below to see whether your device is vulnerable:
Works with my HTC Desire if I use the info code, the dialog for showing battery status etc pops up.
Raises interesting consumer protection questions, this is a 2010 phone with no updates recently. The law says the dealer has to fix or make up for manufacturing defects that show up years later.
Are software defects considered manufacturing defects?
BTW, read elsewhere that if you are using the Chrome browser instead of the Samsung browser this doesn't affect you. Haven't had the guts to test it myself.
I've just implemented this as a Rack middleware, meaning it can be added to every page in a Rails/Rack app with 3 lines of code. A bit of hacker fun, albeit scary hacker fun.
Classic case of a developer putting a backdoor in (for testing) and forgetting to take it out. I'm curious as to how long it will take to patch it and if there will be any fallout over this (they are the number 1 phone producer in the world).
[+] [-] tomscott|13 years ago|reply
There's been a lot of back-and-forth over whether it's true or not (check @pof's timeline for such), and a hell of a lot of people sending it on without double-checking. Myself included.
There is clearly a big security bug here (see the video linked), but it's extremely questionable as to whether it can be activated from a web page or whether it requires a bit of social engineering too!
[Edited to add: and just as I write this, @jwheare has cleared the cache and fixed the bug in Exquisite Tweets. Hopefully that should nip this in the bud.]
[+] [-] forgotusername|13 years ago|reply
[+] [-] jrabone|13 years ago|reply
[+] [-] GICodeWarrior|13 years ago|reply
Please test it and make sure it works for you.
Again, please give it a try. If people like it, I will see about setting up an Android Market account to distribute it.[+] [-] molmalo|13 years ago|reply
So I did the following:
Thanks![+] [-] TazeTSchnitzel|13 years ago|reply
Still, please set up a Market account, this would be great!
[+] [-] GICodeWarrior|13 years ago|reply
It is still rough on the eyes, but it serves the intended purpose.
[+] [-] nl|13 years ago|reply
May I suggest pointing people to a simple webpage (like http://kristofferr.com/samsung.html) maybe more user-friendly?
[+] [-] manki|13 years ago|reply
[+] [-] forgotusername|13 years ago|reply
[+] [-] Achshar|13 years ago|reply
[+] [-] andrewcooke|13 years ago|reply
[+] [-] aw3c2|13 years ago|reply
[+] [-] asmithmd1|13 years ago|reply
[+] [-] mibbitier|13 years ago|reply
[+] [-] ColinDabritz|13 years ago|reply
[+] [-] kristofferR|13 years ago|reply
Check the html in your desktop browser first, for all you know I might as well be a malicious douchebag.
The exploit seems to require a stock Samsung Galaxy dialer, works fine on my cheap Samsung Galaxy Y but not on my friend's modded S3 with a vanilla Android dialer.
[+] [-] nicholassmith|13 years ago|reply
[+] [-] antidoh|13 years ago|reply
[+] [-] headShrinker|13 years ago|reply
They will likely not fix this in any phone but the Galaxy S3 and note 2 or when jelly bean is released for them.
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] jitbit|13 years ago|reply
[+] [-] hpaavola|13 years ago|reply
demo on the issue
[+] [-] estel|13 years ago|reply
[+] [-] gulbrandr|13 years ago|reply
[+] [-] lwhi|13 years ago|reply
[1] http://forum.xda-developers.com/showthread.php?t=1687249
[+] [-] lwhi|13 years ago|reply
If you install a second dialler application via the Play Store, you'll initially be asked which dialler app you want to use before the code is executed - which can prevent execution.
There's a strong possibility that other dialler applications aren't affected (i.e. stock / 3rd party).
[+] [-] FreshCode|13 years ago|reply
[+] [-] henriklied|13 years ago|reply
[+] [-] DirtyCalvinist|13 years ago|reply
[+] [-] semenko|13 years ago|reply
I'd been using the app Hidden Menus (https://play.google.com/store/apps/details?id=com.lorenx.and...) which stopped working at the ICS -> JB transition. You now need to type USSD/star codes manually.
Perhaps this puts a new face on the Android OS update/fragmentation problem.
[+] [-] jrabone|13 years ago|reply
[+] [-] armis|13 years ago|reply
[+] [-] oofabz|13 years ago|reply
[+] [-] joezydeco|13 years ago|reply
[+] [-] drewwwwww|13 years ago|reply
[+] [-] gulbrandr|13 years ago|reply
[+] [-] EwanToo|13 years ago|reply
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] sssparkkk|13 years ago|reply
http://www.tinyurl.com/samsungexploit
It will show your firmware version by executing *#1234#.
[+] [-] martingordon|13 years ago|reply
[+] [-] Geee|13 years ago|reply
[+] [-] Geee|13 years ago|reply
[+] [-] potkor|13 years ago|reply
Raises interesting consumer protection questions, this is a 2010 phone with no updates recently. The law says the dealer has to fix or make up for manufacturing defects that show up years later.
[+] [-] camiller|13 years ago|reply
BTW, read elsewhere that if you are using the Chrome browser instead of the Samsung browser this doesn't affect you. Haven't had the guts to test it myself.
[+] [-] corin_|13 years ago|reply
[+] [-] timrogers|13 years ago|reply
http://news.ycombinator.com/item?id=4573320
[+] [-] esrauch|13 years ago|reply
[+] [-] emehrkay|13 years ago|reply
[+] [-] dubcanada|13 years ago|reply