According to a report on ZDNet, Samsung fixed a vulnerability in its account management system that could have allowed hackers to take control of any Samsung account by tricking users into clicking on a malicious link. The vulnerability was discovered by a Ukrainian bug bounty hunter, Artem Moskowsky, who reported it to Samsung this month.
The exploit is classified as a Cross-Site Request Forgery (CSRF) vulnerability – a term used to denote vulnerabilities that allow hackers to hoodwink a browser into running hidden commands on other sites that the user is logged into while they’re on the hacker’s site.
Three CSRF vulnerabilities discovered
Moskowsky discovered three CSRF vulnerabilities in Samsung’s account management system – all of which involve a user clicking on a malicious link. The first vulnerability allowed attackers to modify account profile details; the second one allowed them to disable two-factor authentication (if enabled), while the third and the most severe vulnerability allowed hackers to change the user’s account security question and answer.
The third vulnerability was catastrophic since Samsung allowed resetting account passwords by answering security questions. This meant an attacker could initiate a password recovery on the account login page and reset the password using the new security question, thereby gaining full access to the user account that can contain private notes, health data, smart home controls, location data, etc.
Samsung awarded $13,300 to the researcher for discovering these vulnerabilities. None of the reports online mention if these vulnerabilities were actually exploited by any hackers.
The post Samsung fixed a bug that could allow hackers to takeover user accounts appeared first on SamMobile.
from SamMobile https://ift.tt/2rB46Ty
via IFTTT
ليست هناك تعليقات:
إرسال تعليق