A researcher discovered a vulnerability that made it easier to hack Samsung user accounts. Allegedly, three cross-site request forgery (CSRF) flaws could let an attacker take control of Samsung accounts. Exploiting the bug could simply require tricking the victim into clicking on a maliciously crafted link.
CSRF Flaw Allowed Hacking Samsung User Accounts
A researcher has found ways to hack Samsung user accounts. The attack simply involves exploiting cross-site request forgery (CSRF) vulnerabilities.
Reportedly, the researcher Artem Moskowsky found three bugs in the account management system of Samsung. One of these bugs could give an attacker complete control of the system. To exploit the bugs, an attacker could trick the victim’s browser to execute hidden commands as the victim click on a maliciously crafted link.
Explaining the three bugs, ZDNet stated:
“The first would have allowed an attacker to change profile details, the second would have allowed an attacker to disable two-factor authentication, while the third would have allowed an attacker to change the user’s account security question.”
Samsung Patched The Bug
The vulnerabilities discovered by Moskowsky were considered important. However, these bugs were also tricky in a way that these could even work with two-factor authentication measures. As stated in the blog,
“For good measure, if the account would have used two-factor authentication that could have been disabled at the same time the user accessed the malicious link.”
Moskowsky reported the vulnerabilities this month, giving them time to patch the bugs prior disclosure. Samsung has now patched the flaws alongside rewarding the researcher with $13,300.
While Moskowsky’s discovery seems unique in a way that it highlighted flaws in Samsung’s software, this isn’t anything new for Samsung in general. There always have been ways to snoop into Samsung smartphone users’ privacy as well. A few months ago, researchers discovered Samsung S7 smartphone’s vulnerability to hacks by exploiting meltdown flaw.
Latest posts by Abeerah Hashim (see all)
- Iranian Ride-Hailing App Exposed Drivers’ Information Via Unsecured Database - April 24, 2019
- Fitness Retailer BodyBuilding.com Suffered Data Breach - April 23, 2019
- Physician-Service EmCare Data Breach Exposed Information Of 60,000 Individuals - April 23, 2019