4.0.3Maybe whether or not it works depends on the Android version?
Anyone who is vulnerable right now, what Android version are you on?
Said to be patched in 4.0.4
4.0.3Maybe whether or not it works depends on the Android version?
Anyone who is vulnerable right now, what Android version are you on?
The problem arises (I believe) from the fact that certain USSD codes don't require you to press dial; they will run as soon as the last digit (generally a #) is entered (try it yourself; if you type *#06# into your dialer it should pop up with your IMEI without you pressing dial). So what "should" happen is that the number is entered, but not dialled. However with these codes, entering the last digit of the number DOES dial, and in Samsung's and HTC's respective dialler apps, they don't have anything preventing that from happening when the number is coming from a browser. The stock Android dialler does, I believe. EDIT: turns out this was at a time an Android wide bug, but has been fixed in Android, the fix just hasn't filtered through to all manufacturer builds. (As well as Samsung's in their latest ROMs; if you have a fully updated GSG3, you're probably safe)So it seems I may have made the right choice when I opted not to go for a Samsung phone with Touchwiz.
I still wonder why a website can automatically insert a phone number into the phone number field without any user interaction whatsoever though.
Well yes, but they could just as easily do this directly from the hacked app without opening a browser. It'd require certain permissions, which would be displayed when the app is being installed, but I doubt most people read those too carefully. I'm not completely sure, but a special permission may also be required for opening a web page, although that would be less suspicious (e.g. could be for opening developer's website or something) than being able to make calls. If the device is rooted, there's even more that can be done (in fact, there's basically no limit; this is why it is particularly silly to install pirated apps if you're rooted), although it will have to ask you for root permissions (although the uploader could possibly pass that off as part of the crack, dunno if people would believe that or not though).One more dumb question. It is easy to make an app launch a website right?
So, it is easy to someone hack a paid app, for example, plants of zombies, and change a link from the popcap site to a hacked site. Then put this hacked app for free on internet. It is easy to do with this security problem?
Don't just "be careful", take precautions; for the time being, a good workaround is to install Dialer One and set it as the default dialer for numbers from websites. In future, there may be an update from Samsung blocking the hole (it's already been done for the S3), or else the community will probably create a patch for the stock dialer app that you could install (or some other patch to prevent the hack, but maintain full functionality).Ouch, I really have to be careful what websites I go on with my mobile phone then, I have a samsung S2.
Don't just "be careful", take precautions; for the time being, a good workaround is to install Dialer One and set it as the default dialer for numbers from websites. In future, there may be an update from Samsung blocking the hole (it's already been done for the S3), or else the community will probably create a patch for the stock dialer app that you could install (or some other patch to prevent the hack, but maintain full functionality).Ouch, I really have to be careful what websites I go on with my mobile phone then, I have a samsung S2.
Of course, non-TouchWiz based custom ROMs should also be safe from the attack, so that's another option.
Haha, I'm on 4.1.1, probably explains it.4.0.3Maybe whether or not it works depends on the Android version?
Anyone who is vulnerable right now, what Android version are you on?
Said to be patched in 4.0.4
looks to be only the stock browser affected
which is the same as using ie in many ways...
Chrome is also affected. Opera Mobile locked the frame out requiring you to click on the code, but when clicked still gets launched without proper notification from android.looks to be only the stock browser affected
which is the same as using ie in many ways...
You'll notice people have said this only happens with the Stock Browser.well its doesnt affect the s3 in any case
running stock 4.0.4 with chrome
Samsung already released a statement saying it was fixed on phones running 4.0.4 so your phone is not at risk.hatredg0d said chrome was affected, it's not though
tested with stock browser and it opened the dialer, no imei displayed though
firefox also opens the dialer also but doesnt display the imei either
It is well established as a replacement dialer app, I'd say it's safe from the aspect of saving personal information and sending it to it's servers or whatever. If you mean in terms of being exploitable, it's not vulnerable to this same exploit.how safe is this dialer one app though?
Nope. I use Dolphin and I was able to run a USSD code directly from the browser using the test page. I am convinced the flaw is in the dialer app and not the browser (although the browser may be partially at fault also, depending how it parses tel: links).looks to be only the stock browser affected
which is the same as using ie in many ways...
I follow both sites and read many articles on both and never heard of this before today. When it was first discovered, it was communicated to Samsung privately and not publicised. No one else seems to have heard about it prior to the announcement in the last day or two. For example, the thread about it on XDA (where there are many very knowledgeable people who would have known about it if it had be public knowledge for a long time) has no mention of it being already known about.yeah yeah. Very old hole found in android back when 4.0.1 was first released. Works with any browser capable of sending data to the dial-ler. But most temps members wouldn't know since they avoid egadget and gizmodo.
Don't just "be careful", take precautions; for the time being, a good workaround is to install Dialer One and set it as the default dialer for numbers from websites.