It’s understandably risky that some Samsung devices can be remotely wiped while trying to visit a simple webpage. But a similar test carried out reveals non Samsung devices could also be at risk. As you’ll see in the video, I tried to create two separate HTML files – one with a code that works with Samsung Galaxy S II and other is an Android code that can be easily found on the internet.
The result is that although the HTC device did not execute the Samsung-specific command but went ahead with the common Android code. Now imagine if we were to replace that code with the one that resets the phone to factory settings? Another interesting fact is that Google’s Galaxy Nexus is safe from such hijacks as it does not automatically execute the USSD command. Perhaps it is due to the Jelly Bean update.
As for users with devices that automatically execute the command, you might want to use Opera Mobile since the browser suppresses the frame content.
didn’t Apple patent something related to numbers in browsers? The JB behavior could be a response to that.