skyzem
Stammgast
Der Fehler erscheint nur wenn der Stock Dialer benutzt wird. Und dies mit einer Version < 4.1.1
Quelle (http://pastebin.com/cGgs7T4h):
[...]
The stock dialpad or dailers based on stock dialpad application in
Android versions prior to Android 4.1.1 release 1.1 (Jul 2012) allow
initiating handling by Intents through special chars or sequences
without propper validation and rejection. This allows the non
intended execution of actions without any input or confirmation by
the user.
Possible and already used in the wild attack vectors are tricking
users to scan QR codes with "tel:
Quelle (http://pastebin.com/cGgs7T4h):
[...]
The stock dialpad or dailers based on stock dialpad application in
Android versions prior to Android 4.1.1 release 1.1 (Jul 2012) allow
initiating handling by Intents through special chars or sequences
without propper validation and rejection. This allows the non
intended execution of actions without any input or confirmation by
the user.
Possible and already used in the wild attack vectors are tricking
users to scan QR codes with "tel:
Code:
" or including iframes with
"tel:[code]" as source on websites. Both will pass an Intent to the
phone dialer and through the non exsistent input validation this
could initiate actions bind to that code.
Although the dialpad should accept and handle "tel:[phone_number]"
inputs, it should not accept arbitrary code which is not a telephone
number as defined in the IETF RFC 3966.
[...]
To avoid this exploit it is recommended to use a Android firmware >=
version 4.1.1 release 1.1 or an equivalent custom ROM. It is also
possible to use an alternative phone dialer or tools which prevent
passing "tel:" URIs
Zuletzt bearbeitet: