Thanks to
Mikeybear to highlighting this one for me on Facebook and
Dylan Reeve for a nifty testing tool and an example.. It seems that
some Samsung Android handsets have a vulnerability that allows invoking USSD codes from a browser with minimal user interaction.
Not seeing anything about my particular handset, the Samsung Galaxy Nexus, I decided to test it out.
Turns out, it half works.
In stock Android 4.1.1 Jellybean (I upgraded from my telco supplied image, using
images available from Google on their website) on the Samsung Galaxy Nexus (with Skype installed alongside the default "Phone") I tested loading a page with:
<html>
<body>
<iframe width="4" height ="4" src="tel:%23100%23"></iframe>
</body>
</html>
in it. #100# is the USSD code for account information on my telco.
Putting it to the test...
Chrome
18.0.1025308
It doesn't load initially, but if you go to another page
and then go back... or go to previous page and then forward, it invokes
the dialler keypad but does not execute the code, you have to hit dial,
then it will give dialler options (on my phone, standard and skype).. If
you pick the standard one, then it will run the code supplied.
Firefox 15.0.1
Immediate load of dialler keypad, again it won't run it until you hit dial.
Android 4.1.1 Jellybean Browser
Immediate load of dialler keypad, again it won't run it until you hit dial.
Conclusion
The Galaxy Nexus running current firmware isn't fully vulnerable, but there is room for 'mischief'.. You have to be careful not to hit dial if you weren't expecting to dial a number, and if you were, that the number doesn't contain unusual codes. Not all codes will necessarily be available, but clearly some do work if you let them proceed.
No comments:
Post a Comment
Hey... thanks for leaving a comment! Due to Casino spam, I've had to turn on moderation for some of the posts. Apologies - I do read every comment left!