There's been a lot of back-and-forth over whether it's true or not (check @pof's timeline for such), and a hell of a lot of people sending it on without double-checking. Myself included.
There is clearly a big security bug here (see the video linked), but it's extremely questionable as to whether it can be activated from a web page or whether it requires a bit of social engineering too!
[Edited to add: and just as I write this, @jwheare has cleared the cache and fixed the bug in Exquisite Tweets. Hopefully that should nip this in the bud.]
Please test it and make sure it works for you.
1. Open the above link on your phone
2. Install the application (it requires no special permissions)
3. Try this IMEI test: http://jsfiddle.net/kKFn8/
4. Check the box to make "Auto-Reset Blocker" the default action
5. Auto-Reset Blocker will show you the malicious number
6. Open this safe telephone number test: http://jsfiddle.net/tLHpw/
7. Auto-Reset Blocker will show the safe number and you will be asked which dialer to use
8. Select your normal dialer
9. Your normal dialer will open with the safe number
So I did the following:
1- I tested the link provided by kristofferR (http://kristofferr.com/samsung.html).
2- Made 2 local copies
3- Edited one of the copies, replaceing the IMEI code with a normal phone number.
4- Placed both files in a local web server.
5- Accesed the files from my phone, and got the expected results with your App.
Still, please set up a Market account, this would be great!
It is still rough on the eyes, but it serves the intended purpose.
May I suggest pointing people to a simple webpage (like http://kristofferr.com/samsung.html) maybe more user-friendly?
I might try putting tel: links (for people to tap on) directly into the marketplace description.
the USSD code to factory data reset a Galaxy S3 is *2767*3855# can be
triggered from browser like this: <frame src="tel:*2767*3855%23" />
Now, of course, it's just a bit of legacy nonsense that gets left enabled simply because it's part of an existing workflow and serves mostly as a hidden gotcha for people doing security analysis.
A more common attack vector to make money on compromised accounts would be setting up a call forward to an international number and then dialing the subscribers phone number. Illegal low cost calling cards often steal service by doing this. If there was a way to also retrieve the user's phone number, I can imagine a system where you dial the calling card company, input your code and the number you want to dial.... It tells you that it's trying to connect you and that it may take a couple of minutes... It snares the next person caught out on the website, sets their call forward to the number you want to dial, then dials that subscriber for you and connects. So then it's charging the wireless subscriber for your international call, and even if they then disable the call forward on their account, until you hang up, it's still charging them for the call forward.
(by the way, this displays in an awful Spanish for me, because of my default language)
It amazes me how many people I see scanning the QR code to get a copy of the map before they head out on the trails.
Whilst scanning it and trying to figure out what was wrong, the station master approached me to see what I was doing - since the poster had been installed he'd yet to see anyone use it, and had been waiting to ask someone what on earth it was for.
Still - if there is someone out there that wanted to hack me, they just have to place a qr code in a place where I am likely to have nothing to do for a while... At least with this poster it was actually easy to scan the codes, unlike those on billboards or posted on the tube here in the UK.
Every stop has a poster with a QR code on it, advertising that you can now look up when the next bus will be here by scanning the QR code. The first thing you might notice is that the poster is actually a photo of a QR code on a poster, and is taken at an angle sufficient to render scanning the QR code impossible.
The second thing you might notice is that all the posters are identical - they are, in fact, an advert for the QR code you are meant to scan and not the QR code itself.
So where are these QR codes? Somewhere else on the bus stop? On the post for the sign? No. Reading the smaller print on the poster reveals all: You simply visit their website on your PC and go to a specific URL, which delivers you a page full of QR codes. You then scan the QR code corresponding to the bus stop whose schedule you wish to view.
Couldn't be easier!
Actually, looking at the URL of the QR code image itself, it is for the download URL.
Lothian Buses in Edinburgh has done the right thing: they've stuck QR codes to each of their information signs, which direct you to the correct page on their mobile site, and the official Android app is registered for the URLs too.
I can see the usefulness of QR codes, but I don't think I've ever seen one implemented in a non-trivial or non-gimmicky way. They're a solution to a problem no one outside of marketing had.
Seemed pointless to me. This is how the public interacts with QR codes - they can't do anything that can't be done by pasting TEXT where the QR code would be.
And if you scanned the codes that were given in the different tracts, you were also sent the PDFs and slides of that tract.
It's the future, alright.
If you record audio into OneNote, it'll index the audio, synchronized to any other notes. I've used this on multi-hour meetings, to jump right to places where I think one party said something. Amazing.
Combining a couple projections, I see them going from utterly useless to gimmicky cool for a particular crowd within 2 years.
Doesn't it seem idiotic to duplicate what we already have? (English characters) in some arcane non human readable, punch-card-esque idiocy?
In a few years, all cellphones will be able to read english characters and words. There will be no need for QR punch-cards.
In a few years many people will also be walking around with AR-glasses (e.g. google glasses) which may very well scan the codes automatically and overlay them in the viewport with whatever they want to represent.
Or a 'smart billboard' perhaps:
Yeah, this would probably work.
Check the html in your desktop browser first, for all you know I might as well be a malicious douchebag.
The exploit seems to require a stock Samsung Galaxy dialer, works fine on my cheap Samsung Galaxy Y but not on my friend's modded S3 with a vanilla Android dialer.
(Perhaps the comment was edited after you suggested the correction)
After investigating further, the S3 does not launch codes that begin with * # but will trigger the factory reset code which is in the format of * 1234 * 1234 #
Edit: Those with an S3 can confirm this by visiting http://no.tl/s.html in which I've embedded * 1234 * 1234 # (which is not the reset code, but is the same format)
It seems to me that there's no reason at all to allow URI's beginning with tel: as the source of a frame. Surely that's a fair limitation?
They will likely not fix this in any phone but the Galaxy S3 and note 2 or when jelly bean is released for them.
demo on the issue
That was close
If you install a second dialler application via the Play Store, you'll initially be asked which dialler app you want to use before the code is executed - which can prevent execution.
There's a strong possibility that other dialler applications aren't affected (i.e. stock / 3rd party).
Edit: Found some postings on xda-dev that the GS3 is vulnerable. Could depend on firmware version, I know a system update came out recently on Sprint.
I'd been using the app Hidden Menus (https://play.google.com/store/apps/details?id=com.lorenx.and...) which stopped working at the ICS -> JB transition. You now need to type USSD/star codes manually.
Perhaps this puts a new face on the Android OS update/fragmentation problem.
Those of us with good modems back in the dialup days just laughed at this insanity. Hayes used to put "+++AT" in their press releases after a certain point just to trip up any noncompliant systems which may have passed it along.
It could force a modem to hangup and redial a number.
+++ is the Hayes command set string to enter command mode. AT is the prefix for commands, and H0 means "set switchhook to zero", i.e. "hang up". (H1 means "go off hook", DT means dial using touch tones, DP means dial, using pulses, etc).
The first two components (+++ and AT) are configurable, but no one ever changed them.
This is really just a weakness of in-band signaling. For this to work, you need a human on the modem side to type the escape and command strings -- or a program on the modem side that takes unfiltered data from the network and sends it back out without escaping.
That's the vulnerability. Accepting data from untrusted sources will always take you somewhere bad, and there are much worse things you can do to modems than make them hang up. If IRC clients would parrot tainted data back up the serial line, great havoc could be caused.
It will show your firmware version by executing *#1234#.
Raises interesting consumer protection questions, this is a 2010 phone with no updates recently. The law says the dealer has to fix or make up for manufacturing defects that show up years later.
BTW, read elsewhere that if you are using the Chrome browser instead of the Samsung browser this doesn't affect you. Haven't had the guts to test it myself.
EDIT: Can anyone confirm this?
however the code doesn't seem to work ..
e.g. *#06# displays the phone's IMEI number
The factory reset appears to be the only USSD "auto dialled" code that doesn't begin with *#. Which is rather unfortunate.
Edit: Actually, the IMEI code works on the Galaxy S2 running 2.3 (just tested) but not the Galaxy S3 running 4.0. My above comment refers to the S3.
<frame src="tel:*%2306%23" />
http://pastebin.com/cGgs7T4h << some thoughts