Samsung Bug Allowed Full Takeover of User Accounts

Samsung Bug Allowed Full Takeover of User Accounts


Malicious users could have seized control over any Samsung account due to a recent vulnerability. Simply by tricking a user into a clicking on a malicious link. 

Malicious links can be posted to users in a Phishing email campaign, or implemented onto a mirrored website – fooling the victim into clicking the link.

A Ukrainian vulnerability hunter ‘Artem Mokoswky’ reported 3 issues within Samsung’s account management system to the tech giant – claiming a reward of $13,300. Artem also received a reward of $25,000 for discovering a steam bug which would allow users to get the CD keys for any Steam game that had ever been marketing on the digital gaming marketplace.

The main issue on Samsung’s account management system was that is was vulnerable to Cross-Site Request Forgery (CSRF). Essentially allowing attackers to trick the victims browser into executing commands on other sites that the victim is currently logged into,  without them knowing – this is done whilst they are on the attackers site.

This vulnerability, posed 3 separate issues:

  1. It would allow attackers to change profile details.
  2. It would  allow attackers to disable two-factor authentication when logging in.
  3. Finally it would  allow attackers to change the user’s account security question.

While they are all serious – the third issue is the most serious. This is because, if the user can change the users security question and answer, the malicious user can attempt to login by using the email address, and then initiate the password reset function. 

Correctly answering the security question they set, they will now have a password that grants them access to the users Samsung Account.

Access to a Samsung Account would have allowed attackers to track a device’s/users movements, control the user’s inter-connected smart devices, access to private notes, and more.

 

Thankfully, the vulnerability has now been fixed!

SUBCRIBE TO OUR NEWSLETTER

Have all of the latest Cyber Security news sent directly to your inbox, FREE of charge.


Leave a Reply

Your email address will not be published. Required fields are marked *

Do NOT follow this link or you will be banned from the site!