Hackers could have taken over any Samsung account just by tricking a user into accessing a malicious link, a security researcher told ZDNet yesterday.
The vulnerability has now been fixed after the researcher, Ukrainian bug bounty hunter Artem Moskowsky, reported the issue to Samsung this month.
At the heart of this Samsung account issue is what security experts call a cross-site request forgery (CSRF) vulnerability. Explained in lay terms, this vulnerability allows an attacker to trick a user’s browser into executing hidden commands on other sites the user is currently logged in, but while on an attacker’s site.
Moskowsky told ZDNet that he identified three CSRF issues in Samsung’s account management system.
The first would have allowed an attacker to change profile details, the second would have allowed an attacker to disable two-factor authentication, while the third would have allowed an attacker to change the user’s account security question.
While all three were important issues, the third one could have been used to take over an account. Moskowsky told ZDNet that an attacker could have tricked a user into accessing a malicious link that would have changed the user’s security question and respective answer.
The attacker could have then attempted to log into the user’s account using that user’s email address and initiate a password recovery password that relied on the now-tainted security question. With a new password in hand, the attacker could then access the user’s Samsung account.
For good measure, if the account would have used two-factor authentication, that could have been disabled at the same time the user accessed the malicious link.
Access to a Samsung account can allow an attacker to track a user’s movements via the Find My Device feature, control the user’s inter-connected smart devices, access user health data, gain access to private notes, and more.
For the three bugs he reported, Samsung awarded the researcher a $13,300 reward. Last month, the researcher also collected a $25,000 bounty for a Steam bug that would have allowed an attacker to get any CD keys for any Steam game, ever.