A recently patched set of flaws in Samsung's mobile site was leaving users open to account theft.
Bug-hunter Artem Moskowsky said the flaws he discovered, a since-patched trio of cross-site request forgery (CSFR) bugs, would have potentially allowed attackers to reset user passwords and take over accounts.
Moskowsky told The Register that the vulnerabilities were due to the way the Samsung.com account page handled security questions. When the user forgets their password, they can answer the security question to reset it.
Normally, the Samsung.com web application would check the "referer" header to make sure data requests only come from sites that are supposed to have access.
In this case, however, those checks are not properly run and any site can get that information. This would let the attacker snoop on user profiles, change information (such as user name), or even disable two-factor authentication and steal accounts by changing passwords.
"Due to the vulnerabilities it was possible to hack any account on account.samsung.com if the user goes to my page," Moskowsky explained.
"The hacker could get access to all the Samsung user services, private user information, to the cloud."
I found a security hole in Steam that gave me every game's license keys and all I got was this... oh nice: $20,000READ MORE
In one proof of concept, the researcher showed how an attack site could use the CSRF flaw to change the target's Samsung.com security question to one of the attacker's choosing. Armed with the new security question and its answer, the attacker would then use the "reset password" function to steal the target's Samsung account.
It turned out the situation was even worse than the researcher initially thought. Thinking there were only two CSRF vulnerabilites on the site, Moskowsky went to report the issue directly to Samsung – something that was also done through the Samsung.com website. While reporting the issue, he noticed a third bug, the one that would allow him to forcibly change security questions and answers.
"I first discovered two vulnerabilities. But then when I logged in to security.samsungmobile.com to check my report, I was redirected to the personal information editing page," Moskowsy explained.
"This page didn't look like a similar page on account.samsung.com. There was an additional 'secret question' field on it."
In total, three bugs were found and were rated medium, high, and critical, respectively. Moskowsky earned himself a payout of $13,300 for the find, a nice payout, but well short of the $20,000 he pocketed for spotting a major bug in Steam back in October.
Samsung did not respond to a request for comment on the matter. ®