Dialler exploit discovered; devices can be wiped with a single line of code [UPDATE]

Dialler exploit discovered; devices can be wiped with a single line of code [UPDATE]

Today it has been discovered that some Samsung TouchWiz-running devices can be wiped with a single line of HTML code without confirmation. According to the tweet below, the Galaxy S3 has been confirmed as vulnerable to the attack, with the S2, Ace and Galaxy S Advance (my phone!) also apparently at risk (however those devices have not been confirmed).


The exploit only affects the TouchWiz dialler, meaning that those of you with a Galaxy Nexus or running stock on your device shouldn’t be affected. The issue lies with the dialler not asking for confirmation when the ‘device reset’ USSD code is entered, whereas the stock dialer does as for confirmation. This dialler code can be added to an iframe via the Telephony HTML5 API, causing the code to be executed upon page load.

More as we have it…

Tweet explaining the exploit

UpdateAndroidPolice say that updated Galaxy S3 devices are not affected by the update (and have a video to prove it), but other manufacturers could still be affected.

Samsung Galaxy Note II to be launched in UK on 1st October
First Impressions: Space Pirates and Zombies (Humble Bundle 6)