According to a security researcher, the attackers were able to take complete control over the Samsung account by deceiving the user to access a malicious link. However, the vulnerability has been fixed when the researcher reported the issue to Samsung this month.
The vulnerability is known as a cross-site request forgery (CSRF) vulnerability and it allows an attacker to trick a user’s browser into executing hidden commands on other sites the user is currently logged in, but while on an attacker’s site.
The security researcher was a Ukrainian bug bounty hunter, Artem Moskowsky and he had identified three CSRF issues in Samsung’s account management system.
The first issue allowed an attacker to change profile details, the second allowed an attacker to disable two-factor authentication and the third allowed an attacker to change the user’s account security question. Even though all these three are considered as important issues, the third one seemed to have been used to take control over an account.
According to the researcher the vulnerabilities were because of the way the Samsung.com account page handled security questions. When the user forgets their password, they can answer the security question to reset it. An attacker could have tricked a user into accessing a malicious link that would have changed the user’s security question and respective answer.
The attacker would then try to log into the user’s account using that user’s email address and commence a password recovery option which now depends on the currently changed security question. Having a new password at hand the attacker could then access the user’s Samsung account.
But if the account made use of the two-factor authentication, this could have been disabled at the same time the user accessed the malicious link.
When a user’s Samsung account is accessed, an attacker can track a user’s movements via the Find My Device feature, control the user’s inter-connected smart devices, access user health data, gain access to private notes, and much more.
The researcher was awarded a $13,300 bounty by Samsung for reporting the three bugs.