Wipe a Samsung Galaxy S3 simply by visiting a web page


Apparently the USSD code to wipe a S3 can be trigged in a browser iframe. Obviously this is bad bad BAD. Until there is a fix for this please keep your wits about you and avoid any hyperlinks to pages from untrusted sources.

Well this is pretty stupid. In fact, that’s a monumental fuck-up. The Galaxy S3 can be wiped by entering *2767*3855# on the keypad. As phone numbers can be embedded as a hyperlink using tel: in place of http:, setting the source of an iframe to this enters it automatically. It doesn’t need to be dialled, just entered.

What’s even more concerning is the number of S3s that probably run carrier versions of Android which means a critical update may not be seen anytime soon.

Remember, kids. Open is good.