Yesterday we reported on a vulnerability on Samsung phones that could allow a malicious website to wipe a user's device, but new details are coming to light that indicate the issue extends beyond Samsung's product line — and that the dialer in some versions of Android may by the cause. Dylan Reeve writes that he was able to replicate the same behavior on both a HTC One X running HTC Sense 4.0 and a Motorola Defy running a version of CyanogenMod. The Next Web has confirmed the issue also exists on the HTC Desire running Android 2.2.
The problem appears to be the Android dialer itself. Websites are able to link characters with a special prefix in order to pass digits to the dialer in a phone — the same functionality that allows you to initiate a phone call from a site, for example. However, the dialers in phones also support specialized strings of characters that can do anything from displaying a phone's IMEI code to wiping the device itself. In devices vulnerable to the attack, the dialer treats these special codes the same as any other phone number, allowing a website to initiate a reset without the user authorizing it to do so.
The bug was corrected in Android earlier this year
As Reeve points out, the bug was corrected in Android earlier this year, but not all phones may be running the updated code. In order to test whether your phone suffers from the vulnerability, Reeve has put together a website to test your device (the site will force your phone to display its IMEI number to you if it's vulnerable).
As for Samsung, the company has said the Galaxy S III has already been patched to avoid the problem — though we still found the AT&T variant vulnerable to the exploit in our testing (Samsung has also said it's testing a patch for the Galaxy S II, but availability and distribution are still open-ended questions). Installing a third-party dialer that is not vulnerable to the attack seems to be the best option for most users in the meantime. It's also important to remember that not all phones have factory reset codes built into them by default. Still, that will likely come as little comfort to users that are vulnerable to the attack — to say nothing of the impact it will have on those that already consider Android to be a platform with security issues.