Smartphone recently released a security patch which fixed a bug in its account management system. This bug or security hole could allow hackers to invade and take control of any Samsung account by tricking into to click a malicious link pretending to be an official link. The vulnerability was discovered by a Ukrainian Engineer, Artem Moskoswsky who reported this later to Samsung this month.
The vulnerability is known as a cross site request forgery – a term used by software engineers and hackers which allow hackers to hoodwink a web browser into executing hidden commands on other sites the user is logged on while he is on the hacker’s site.
Artem not only discovered just one bug. He highlighted 3 such CSRF vulnerabilities in Samsung’s account manager. All of these 3 would require users to click on a malicious link. The first vulnerability would allow hackers to change user’s profile detailed; the second one would allow them to disable two factor authentication on the behalf of the real user; and the third one would let hackers change the security question and its answers without even user know about it.
Samsung used security question and answer feature while user’s attempt to reset or change password. This could mean a hacker could even change the user’s password if he had access to user’s security questions and answers which mean full access to user account that can contain private notes, pictures, health and financial data, smart home controls, location and other apps passwords.
Samsung awarded $13,300 to Moskowsky for discovering these vulnerabilities and informing Samsung about it. Despite these bugs were found and fixed with an aggressive approach, it is still unknown that if any user’s account was compromised or not. So far, there has been no such reports of exploitation by hackers using these vulnerabilities. We hope that Moskowsky was the first person to discover these security holes.