A Cross-Site Request Forgery (CSRF) vulnerability in Samsung’s account management system has been taken care of by the company. The vulnerability which was identified by Artem Moskowsky, a Ukrainian bug bounty hunter, allowed hackers to take over any Samsung account by exploiting the users’ gullibility and make them access an infected link.
The vulnerability is classified as a CSRF as it allows fraudsters to manipulate user consciousness and make hidden commands operational on other websites the users are currently logged into while they are browsing the hacker’s site.
Notably, three CSRF issues were found in Samsung’s account management system.
While the first one allowed a hacker to make alterations in the profile details, the second one led them to disable two-factor authentication (in case of being enabled) and the last and the most disastrous one permitted attackers to change an account’s security question and answer.
Once exploited, the vulnerability could have been misused by the hackers to log into the victim’s account by creating a new password via password recovery.
That further would have allowed the attacker to exercise authority over the user’s inter-connected smart devices, access to personal notes, health-related data and to keep an eye on the victim’s movements through the feature ’Find My Device’.
There’s no clarity on whether the vulnerabilities were taken advantage of or not. Meanwhile, for the discovery of the three aforementioned vulnerabilities, Samsung rewarded $13,300 to the security researcher.