Reserve the next Galaxy, Get a $50 Samsung Credit. New deals, S25 Ultra, Watch Ultra.
Last updated: December 14th, 2018 at 00:02 UTC+01:00
SamMobile has affiliate and sponsored partnerships, we may earn a commission.
Reading time: 2 minutes
The exploit is classified as a Cross-Site Request Forgery (CSRF) vulnerability – a term used to denote vulnerabilities that allow hackers to hoodwink a browser into running hidden commands on other sites that the users are logged into while they're on the hacker's site.
Moskowsky discovered three CSRF vulnerabilities in Samsung's account management system – all of which involve a user clicking on a malicious link. The first vulnerability allowed attackers to modify account profile details; the second one permitted them to disable two-factor authentication (if enabled), while the third and the most severe vulnerability let hackers change the user’s account security question and answer.
The third vulnerability was catastrophic since Samsung allowed resetting account passwords by answering security questions. This meant an attacker could initiate a password recovery on the account login page and reset the password using the new security question, thereby gaining full access to the user account that can contain private notes, health data, smart home controls, location data, etc.
Samsung awarded $13,300 to the researcher for discovering these vulnerabilities. It is not clear if these vulnerabilities were actually exploited by any attackers so far.
Trending
We'd like to show you notifications for the latest important news and updates