October 27, 2014 by

A Flaw Within Samsung’s ‘Find My Phone’ Service Allows Hackers to Remotely Lock Your Device

Samsung users beware, a zero-day flaw was discovered within the Samsung Find My Phone online phone tracking service. The flaw was announced by the National Institute of Standards and Technology, and discovered by Mohamed Abdelbaset Elnoby (@SymbianSyMoh), an Information Security Evangelist from Egypt. It has been given the name CVE-2014-8346.

The vulnerability allows a remote hacker to cause your device to lock or unlock itself, as well as to cause it to ring. This can be done via what is called a Cross-Site Request Forgery (CSRF). It’s an attack that fools the user into loading a page that contains a uniquely designed HTML exploit page. This tricks the victim into clicking a URL that contains a malicious code and unauthorized queries.

The malicious link will have the same privileges as would the authorized user, and an perform all tasks on behalf of him. This means it can purchase items, change the victim’s info, change passwords, and more. It can even steal sensitive information about the user.

The US-CERT/NIST rated the severity of this vulnerability as HIGH and gave it an exploitability score of 10.

Here is a proof of concept video from the original discoverer:

 

 

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

Second Largest Android Malware Outbreak Infects 21 Million Victims

Security researchers claim to have discovered the second largest outbreak to hit Google’s Android...

Read more arrow_forward

Dangerous Android Banking Trojan, SVPENG, modified with a Keylogger

In mid-July this year, it was discovered that a well-known banking malware,...

Read more arrow_forward

Android Ransomware App Threatens Spread of Pictures & Messages

Security researchers have uncovered a new form of ransomware that does not encrypt files to extort...

Read more arrow_forward