Check the html in your desktop browser first, for all you know I might as well be a malicious douchebag.
The exploit seems to require a stock Samsung Galaxy dialer, works fine on my cheap Samsung Galaxy Y but not on my friend's modded S3 with a vanilla Android dialer.
To people reporting that this works on other devices such as HTC phones, this doesn't mean your phone is vulnerable: First, the hash-star code to display the IMEI number is standard, while the reset code is device specific. Second, as I understand it the problem with the Galaxy S3 is that it doesn't ask for user confirmation after the reset code is entered.
Can anyone confirm that this is not only a safe USSD, but that it triggers the exploit? I am not an owner of a S3, but would love to be able to help show some of my non-tech friends whether they are vulnerable to this or not
I've tested this using both a galaxy S2 and S3. On the S2 the above page is safe and triggers the exploit to view the IMEI. On the S3 it launches the dialler however, the dialler is empty and does not display the IMEI.
After investigating further, the S3 does not launch codes that begin with * # but will trigger the factory reset code which is in the format of * 1234 * 1234 #
Edit: Those with an S3 can confirm this by visiting http://no.tl/s.html in which I've embedded * 1234 * 1234 # (which is not the reset code, but is the same format)
Works on a stock Galaxy S2 with Samsung ICS, and a random stock HTC (colleague's phone). Triggers IMEI display via dialer from both Chrome and Browser :(
The approach of prompting the user "Do you want to call this number?" is far simpler and safer. After all, you could probably use tel: links or tel: redirects or something if the frame didn't work.
Check the html in your desktop browser first, for all you know I might as well be a malicious douchebag.
The exploit seems to require a stock Samsung Galaxy dialer, works fine on my cheap Samsung Galaxy Y but not on my friend's modded S3 with a vanilla Android dialer.