A series of cross-site request forgery (CSRF) bugs found by security researcher Artem Moskowsky in Samsung’s website could allow potential attackers to take over user accounts completely.
Moskowsky told ZDNet that the three issues were reported to Samsung during this month and the company rewarded him with $13,300 through its bug bounty program.
As further detailed by the researcher, the three CSRF security issues affected the account management system on Samsung’s website, and they allowed attackers to change a user’s security questions, disable two-factor authentication, and change the vulnerable account’s profile info.
Cross-site request forgery attacks allow bad actors to execute commands through a user’s web browser via a web application the victim is currently logged in.
In the case of the XSRF bugs found by Moskowsky, attackers could change the security questions and answers of any account by persuading the targeted Samsung users to click on a maliciously crafted link.
The CSRF issue streamed from the absence of referrer header checks of the data requests
Following a successful compromise of the Samsung account, the attacker could reset the password with the help of the new security question and then log into the user’s profile with the new credentials.
The attack worked because the vulnerable Samsung web app did not correctly check the referrer header of the data requests made by the attackers to make sure that they were made from domains with the proper access.
Because the referrer header checks weren’t performed correctly, any domain could have requested the current security questions of any account on Samsung’s account management system leading to the CSRF vulnerability.
“Due to the vulnerabilities, it was possible to hack any account on account.samsung.com if the user goes to my page. The hacker could get access to all the Samsung user services, private user information, to the cloud,” told Moskowsky to The Register.