Samsung fixes flaws that could have let attackers hijack your account

A recently patched trio of flaws in Samsung’s mobile site was leaving users vulnerable to attackers who could have reset their user passwords and hijacked their accounts, The Register reports.

The flaws were found by security researcher Artem Moskowsky, who said that they were all cross-site request forgery (CSFR), or, alternatively, XSRF, bugs.

Moskowsky said that the problem was with the way that the account page handled password-reset security questions.

What should have been happening: the web app would check the “referer” header (yes, that’s the way it’s spelled) to check that data requests were coming from sites that were legitimately supposed to have access.

What glitched: the checks weren’t working properly. Any site could have gotten the security question answers, enabling an attacker to access user profiles, change information such as usernames, or even to disable two-factor authentication (2FA), to change passwords and to thereby steal accounts.

The Register reports that in one proof of concept, Moskowsky showed how an attacker could exploit the CSRF flaw to change security questions – and answers – to whatever they want. From there, it would have been an easy hop to reset the password and take over a Samsung account.


Due to the vulnerabilities, it was possible to hack any account on if the user goes to my page. The hacker could get access to all the Samsung user services, private user information, to the cloud.

When reporting what he originally thought were two CSRF flaws to Samsung – via that same site – Moskowsky came across a third bug that could have let him forcibly change security questions and answers.

I first discovered two vulnerabilities. But then when I logged in to to check my report, I was redirected to the personal information editing page.

This page didn’t look like a similar page on There was an additional ‘secret question’ field on it.

Samsung hadn’t yet responded to a request for comment from The Register as of Tuesday evening. It reportedly paid Moskowsky a total of $13,300 for the three vulnerabilities, which were rated medium, high, and critical.

He also picked up $20,000 last month for finding a big (now patched!) hole in Steam that gave him every game’s license keys.

Articles You May Like

Can open-source software be secure?
It’s not clear X CEO Linda Yaccarino knew about Elon Musk’s plan to charge for X
GitHub Repositories Hit by Password-Stealing Commits Disguised as Dependabot Contributions
Cloaked manages your logins with proxy emails, phone numbers and a built-in password manager
Tinder goes ultra-premium, Amazon invests in Anthropic and Apple explains its new AirPods

Leave a Reply

Your email address will not be published. Required fields are marked *