Samsung Fixes Three Critical Bugs Reported by Ukrainian Bug Bounty Hunter

  • Samsung’s account management system featured three serious CSRF gaps
  • Attackers could have gained full access to the users’ accounts through a simple process
  • Artem Moskowsky was awarded $13300 for his finds and reports to Samsung

Only a while after Samsung claimed that their phones and software are the most secure out there, a set of three CSRF (cross-site request forgery) issues in their own account management system have lashed these claims. The revelation of the bugs was made by Ukrainian security researcher and bug bounty hunter Artem Moskowsky, the same person who uncovered a serious Steam bug last month.

CSRF attacks involve the authentication of the user in a web application and a sequence of state-changing requests that the user does not realize. They can manifest as simply as by visiting a website or opening a link from a chat or email, forming a platform to trick the user into executing whatever actions the attacker is aiming for. Usually, these actions involve the changing of an email address that leads to the granting of access of the attacker to the victim’s account.

Moskowsky identified and reported three CSRF issues, with the first allowing the attacker to alter the profile details, the second to disable the two-factor authentication, and the third and worse one to change the account’s security question. The attacker could just visit the Samsung account sign-in page, initiate a password recovery process by using the altered security question, and finally, having disabled the two-step authentication, access another user’s Samsung account.

Besides getting access to the user’s personal data and private notes, the attacker could also use this method to track the whereabouts of the victim via the platform’s “Find My Device” feature. For the contribution of Moskowsky’s reports, Samsung compensated the researcher with a $13300 reward and fixed the security gaps in their account management system.

Do you have a Samsung account? Are you confident about Samsung’s security? Let us know of your opinion in the comments section below, and also visit our social pages on Twitter and Facebook to find out what else is on today.

Latest
How to Watch Grammys 2023 Online: Live Stream the Awards from Anywhere
The 2023 Grammys are around the corner, and you will find the date, time, performers, presenters, host, nominees, and everything else you...
Italy vs. France Live Stream: How to Watch Six Nations 2023 Online from Anywhere
Excitement among spectators has reached new heights as the Six Nations Rugby Championship 2023 draws near. France, the reigning champs, will get...
How to Watch ‘Murf the Surf: Jewels, Jesus, and Mayhem in the USA’ Online from Anywhere
Murf the Surf is a 2023 true-crime docuseries that pulls back the curtain on America's most infamous jewel thief, Jack Roland Murphy....
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari