A security hole has been discovered that allows some Samsung Galaxy phones running TouchWiz to be automatically factory reset without warning. This includes the Samsung Galaxy S2.
It was found by ex-Gadget Geeks presenter Tom Scott, among others, and all unsuspecting users have to do is go to a webpage via a specific link and their phone will be wiped back to how it came in the box.
"The USSD code to factory data reset a Galaxy S3 is *2767*3855# and can be triggered from browser like this," wrote Scott.
Developer Tom Hutchinson, who has helped Pocket-lint work out the incredibly damaging bug, says that the security blunder affects the Samsung Galaxy S3 too. The Ace, the SGS2 and S Advance have also been found to be affected so far. "Most, if not all Gingerbread phones or newer running TouchWiz will be vulnerable," he claims.
The fear is that those looking to wipe out Samsung phones would be able to embed the code easily on a website without Galaxy owners even realising what was about to happen. It could easily be used in a QR code too, and unwittingly scanned by a user.
In testing on the Pocket-lint SGS3, we've been unable to get the command to work. However, Arnoud Wokke, a journalist at Tweakers.net, claimed on Twitter to have the bug affecting the Samsung Galaxy S II and the Galaxy S Advance. He too was unable to get it working on the Galaxy Note or the Galaxy S III.
UPDATED 26 September: Samsung has told SlashGear that Galaxy S III users should ensure their phone is running the latest software as this resolves any issues:
“We would like to assure our customers that the recent security issue concerning the GALAXY S III
has already been resolved through a software update. We recommend all GALAXY S III customers to download the latest software update, which can be done quickly and easily via the Over-The-Air (OTA) service.”