- Ukrainian bug bounty hunter Artem Moskowsky identified 3 CSRF vulnerabilities in Samsung’s account management system.
- Samsung awarded the researcher a $13,300 reward for finding and reporting the three bugs.
Cross-site request forgery (CSRF) vulnerabilities can allow attackers to trick victims’ browsers into executing hidden commands on the websites victims are logged into, but while on the attacker's site.
Ukrainian bug bounty hunter Artem Moskowsky identified 3 CSRF vulnerabilities in Samsung’s account management system. The vulnerabilities were fixed after the researcher reported the bugs to Samsung. Samsung also awarded the researcher a $13,300 reward for finding and reporting the bugs.
The three vulnerabilities
- The first vulnerability would have allowed an attacker to change the user’s profile details.
- The second would have allowed an attacker to disable two-factor authentication.
- The third bud would have allowed an attacker to modify a victim’s user account security question. This bug could also have been used by the attacker to take over the user account.
“The attacker could have tricked the victim in accessing the malicious link that would have changed the victim’s user account security question and the respective answer,” said Moskowsky to ZDNet.
When the victim accessed the malicious link, the two-factor authentication also would have been disabled, in case the user account used one. The attacker then would have attempted to log in to the user account with the victim’s email address and would have initiated password recovery that relied on the security question, which was already abused by the attacker. After creating a new password the attacker can now take over the victim’s user account.
Access to a Samsung account allows the attacker to do the following:
- Track a user's movements using the Find My Device feature.
- Control the user's inter-connected smart devices.
- Gain access to the user’s health data.
- Gain access to private notes, and more.