Concern is growing over the security of Samsung's Android infrastructure after readers from around the world told The Register that yesterday's Find my Mobile push notification affected them – including on devices where the offending app was disabled.
Readers from as far afield as New Zealand, the US, Scandinavia and even rural England told us they had received the mysterious push notification, which showed up as the message "1/1."
The alerts were even received at Vulture Central, which surprised us given that Find my Mobile – a Samsung-specific phone locator app, remotely triggerable from a web interface – had been explicitly disabled on the devices receiving the notification.
Over on Twitter Samsung was claiming the alert only affected a "limited number of Galaxy devices" – yet readers using non-Galaxy phones got in touch to tell us they had received the notification.
"I'm just letting you know this message appeared on my Norwegian Samsung XCover 4," said Tomas, who had also not set up Find my Mobile.
Others reported seeing other people's personal data on Samsung's account management page when they logged in to change passwords as a security precaution. Yet more still found details missing altogether.
"They don't have my address and all from the year or so back and wanted me to put that in. Clicking on the link leads one to a blank page. All is not well in Sammy Land," Reg reader Ken told us.
The Information Commissioner's Office told us yesterday that Samsung had not reported a data breach, though companies have three days to do so. The spokeswoman added: "People have the right to expect that organisations will handle their personal information securely and responsibly. Where that doesn't happen, people can come to the ICO and we will look into the details.
"When a data incident occurs, we would expect an organisation to consider whether it is appropriate to contact the people affected, and to consider whether there are steps that can be taken to protect them from any potential adverse effects."
Why is an app that is supposed to be disabled able to receive and display push notifications? And what was going on with their backend infrastructure that caused personal data to be displayed to the wrong people?
Samsung UK has not responded to detailed questions from The Register about what happened. In today's security-conscious world, apps doing things contrary to the user's intentions, or functioning in a way that cannot be disabled, can be a genuine risk to some. ®