October 27, 2014 by

A Flaw Within Samsung’s ‘Find My Phone’ Service Allows Hackers to Remotely Lock Your Device

Samsung users beware, a zero-day flaw was discovered within the Samsung Find My Phone online phone tracking service. The flaw was announced by the National Institute of Standards and Technology, and discovered by Mohamed Abdelbaset Elnoby (@SymbianSyMoh), an Information Security Evangelist from Egypt. It has been given the name CVE-2014-8346.

The vulnerability allows a remote hacker to cause your device to lock or unlock itself, as well as to cause it to ring. This can be done via what is called a Cross-Site Request Forgery (CSRF). It’s an attack that fools the user into loading a page that contains a uniquely designed HTML exploit page. This tricks the victim into clicking a URL that contains a malicious code and unauthorized queries.

The malicious link will have the same privileges as would the authorized user, and an perform all tasks on behalf of him. This means it can purchase items, change the victim’s info, change passwords, and more. It can even steal sensitive information about the user.

The US-CERT/NIST rated the severity of this vulnerability as HIGH and gave it an exploitability score of 10.

Here is a proof of concept video from the original discoverer:



About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Security Researchers Uncover ‘World’s Most Powerful Android Spyware’

Security researchers at Kaspersky have uncovered a new form of Android spyware with capabilities...

Read more arrow_forward

This Android CryptoMining Malware is Capable of Destroying Android Phones

Cybersecurity researchers have discovered a “jack of all trades” cryptocurrency mining malware...

Read more arrow_forward

Second Largest Android Malware Outbreak Infects 21 Million Victims

Security researchers claim to have discovered the second largest outbreak to hit Google’s Android...

Read more arrow_forward