A recently patched trio of flaws in Samsung’s mobile site was leaving users vulnerable to attackers who could have reset their user passwords and hijacked their accounts, The Register reports.
The flaws were found by security researcher Artem Moskowsky, who said that they were all cross-site request forgery (CSFR), or, alternatively, XSRF, bugs.
Moskowsky said that the problem was with the way that the Samsung.com account page handled password-reset security questions.
What should have been happening: the Samsung.com web app would check the “referer” header (yes, that’s the way it’s spelled) to check that data requests were coming from sites that were legitimately supposed to have access.
What glitched: the checks weren’t working properly. Any site could have gotten the security question answers, enabling an attacker to access user profiles, change information such as usernames, or even to disable two-factor authentication (2FA), to change passwords and to thereby steal accounts.
The Register reports that in one proof of concept, Moskowsky showed how an attacker could exploit the CSRF flaw to change security questions – and answers – to whatever they want. From there, it would have been an easy hop to reset the password and take over a Samsung account.
Moskowsky:
Due to the vulnerabilities, it was possible to hack any account on account.samsung.com if the user goes to my page. The hacker could get access to all the Samsung user services, private user information, to the cloud.
When reporting what he originally thought were two CSRF flaws to Samsung – via that same Samsung.com site – Moskowsky came across a third bug that could have let him forcibly change security questions and answers.
I first discovered two vulnerabilities. But then when I logged in to security.samsungmobile.com to check my report, I was redirected to the personal information editing page.
This page didn’t look like a similar page on account.samsung.com. There was an additional ‘secret question’ field on it.
Samsung hadn’t yet responded to a request for comment from The Register as of Tuesday evening. It reportedly paid Moskowsky a total of $13,300 for the three vulnerabilities, which were rated medium, high, and critical.
He also picked up $20,000 last month for finding a big (now patched!) hole in Steam that gave him every game’s license keys.