Today it has been discovered that some Samsung TouchWiz-running devices can be wiped with a single line of HTML code without confirmation. According to the tweet below, the Galaxy S3 has been confirmed as vulnerable to the attack, with the S2, Ace and Galaxy S Advance (my phone!) also apparently at risk (however those devices have not been confirmed).
The exploit only affects the TouchWiz dialler, meaning that those of you with a Galaxy Nexus or running stock on your device shouldn’t be affected. The issue lies with the dialler not asking for confirmation when the ‘device reset’ USSD code is entered, whereas the stock dialer does as for confirmation. This dialler code can be added to an iframe via the Telephony HTML5 API, causing the code to be executed upon page load.
More as we have it…
Update: AndroidPolice say that updated Galaxy S3 devices are not affected by the update (and have a video to prove it), but other manufacturers could still be affected.