The flaw would have allowed an attacker to generate a new password
A Ukrainian digital forensics expert known as Artem Mokowsky reported the finding of three security issues in Samsung account management system, which earned him a reward of about $13k USD. The professional specialized in vulnerability hunting had previously received a reward of $25k USD for having found vulnerability on Steam that allowed the users to download any game without paying for it.
According to the expert’s report, the main problem in Samsung’s account system is that it is vulnerable to cross site request forgery (CSRF). According to specialists in digital forensics from the International Institute of Cyber Security, this means that an attacker could deceive the victim’s browser to run remote commands on other sites visited without the victim’s knowledge.
Artem Morowsky mentioned that the vulnerability is distinguished by three essential characteristics:
- Allow attackers to modify some user profile details
- Allow attackers to disable two-factor authentication to login
- Allow attackers to change the security question of the user’s account
All three are serious problems, but experts in digital forensics believe that the third feature of vulnerability is the most critical. This is because, if the attackers manage to change the user’s security question, they could login using the victim’s email address and implement a password reset process.
If attackers answer correctly to the security question they have set, the system will give them a new password, which means that they could access the victim’s Samsung account without appearing illegitimate access.
Access to a Samsung account would have allowed attackers to track the movements of a device or user, control the user’s interconnected intelligent devices, access private notes and other sensitive information managed by Samsung’s account management system.