Closed Bug 794257 Opened 12 years ago Closed 12 years ago

Protect against remote USSD attack

Categories

(Firefox for Android Graveyard :: General, defect)

Product:
Firefox for Android Graveyard
Component:
General
Version:
16 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 794034

People

(Reporter: mfinkle, Unassigned)

Details

See details of the attack vector here:
http://dylanreeve.posterous.com/remote-ussd-attack

This attack depends on the type of dialer used on the phone. Some dialers, like the stock Galaxy Nexus dialer, will not actually dial the number, only display it waiting for the user to 'send'.

Others, like older Samsung and DroidX, will attempt to dial the number.

Maybe we could add a check for the USSD style number and display a prompt before sending to the dialer.

Not marking as confidential since the attack is public and not a problem in Firefox.
Another option is to just not honor those requests when the user did not explicitly click on a link.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.