Samsung Galaxy S3 remote data-wipe vulnerability

Adunaphel

Angrily shouting at Klauwds
STAFF MEMBER
Joined
Jan 18, 2006
Messages
11,644
Location
Fermany
Car(s)
Cube²
http://www.slashgear.com/samsung-galaxy-s-iii-remote-data-wipe-hack-discovered-25249061/

Article says it all basically. A simple bit of javascript code will irrecoverably wipe a Galaxy S3 handset when the page is loaded. Apparently it is based upon using javascript to let the dialer enter a factory reset code. When telling it to dial a number it will ask you if you really want to dial it, but somehow the dialer goes straight to wipe mode as soon as the last digit of the code is entered, and behaves likewise when that code is fed to it via javascript.
 
Fuck Touchwiz. I can only recommend everyone to use an aftermarket ROM.
 
From my experience with Androids there is never a reason NOT to use an aftermarket ROM, aside from maybe the Nexus devices.
 
From my experience with Androids there is never a reason NOT to use an aftermarket ROM, aside from maybe the Nexus devices.
Stock Android comes without unicorns.
 
I believe this unicorn discussion will only make sense to hardcore Android fans. :lol:
 
Re: Samsung Galaxy S3 remote data-wipe vulnerability

This is a surprising fuckup. Granted AT&T branded s3's and a few others are protected already but still....unacceptable. Honestly i'm kinda shocked Verizon's S3 isn't protected given their notoriously lengthy testing process...

If you dont want to give up TW, you can use a third party dialer according to Android Central.

Things like device reset should never be able to be accomplished through the secret codes available via the dialer. that was just a bad idea period. I wonder who else does this?

Personally I like and prefer UI skins (sense 4 and TouchWiz UX being my favorites) for the small enhancements they add to Android...that and they tend to eradicate the (imo shitty) "inspired from Tron" looks that permeate ICS, and to a admittedly far lesser extent, JB.
 
Dude even iOS has security holes and it runs on very limited hardware and both it and the 3rd party apps are tested up the wazoo. Shit happens you know what I mean?
 
Dude even iOS has security holes and it runs on very limited hardware and both it and the 3rd party apps are tested up the wazoo. Shit happens you know what I mean?

Never said that security holes don't happen, they indeed do. I still think this is bad though, especially because of how easy it can be exploited.
 
Well... you gotta keep in mind the difference between relative ease of exploiting and actual probability of it happening in the wild. From the former standpoint this is a big issue and a silly one at that but from the latter it's relatively easy to avoid.
 
Dude even iOS has security holes and it runs on very limited hardware and both it and the 3rd party apps are tested up the wazoo. Shit happens you know what I mean?

As far as security holes go, this does kinda fall into the "in what universe was this ever a good idea?" category.
 
As far as security holes go, this does kinda fall into the "in what universe was this ever a good idea?" category.

I kind of doubt it was put in there on purpose ;) Clearly its some strange bug that wasn't caught in testing. I see something like that quite a bit working application support and all :) It should be a relatively easy fix for Samsung to make tho.
 
I kind of doubt it was put in there on purpose ;) Clearly its some strange bug that wasn't caught in testing. I see something like that quite a bit working application support and all :) It should be a relatively easy fix for Samsung to make tho.

Being able to type a reset code into the dialer is not something that happens accidentally.

Having it happen without confirmation was also probably intentional but it didn't occur to them that this could be done via a browser and that's what is being exploited.

In short, this isn't a bug per se rather a proper exploit.


As someone who spends his days writing code and even more time reading code to try and prevent this kind of stuff, that must suck for the developers.
 
Sent the exploit test code to 5 people I knew who have android phones without saying what it is, all of them opened it. Android may have an issue on their hands with the vast majority of non-tech savvy people, especially since those people are the type that don't regularly update their software.

(Note- code I sent was to show imei no, not wipe. Wouldn't wipe people's phones on purpose, and hopefully 5 less technophobes will not be exploited by this)
 
Sent the exploit test code to 5 people I knew who have android phones without saying what it is, all of them opened it. Android may have an issue on their hands with the vast majority of non-tech savvy people, especially since those people are the type that don't regularly update their software.
The problem is TouchWiz-specific. Helluva difference.
 
I`ll just leave this here:
ofUew.jpg
 
Re: Samsung Galaxy S3 remote data-wipe vulnerability

I`ll just leave this here:
ofUew.jpg

:lmao: +rep


but seriously, this is the kind of shit that makes people beeline straight to the Apple store for a iPhone...to a lot of the masses it IS the reliable smartphone.
 
Being able to type a reset code into the dialer is not something that happens accidentally.

Having it happen without confirmation was also probably intentional but it didn't occur to them that this could be done via a browser and that's what is being exploited.

In short, this isn't a bug per se rather a proper exploit.


As someone who spends his days writing code and even more time reading code to try and prevent this kind of stuff, that must suck for the developers.
Fair point, it is strange they left it in there I would think this was something set up for testing.

- - - Updated - - -

Tested on my review S3 with newest update. Doesn't work.

As per Samsung they fixed it in a patch.
 
Top