A zero-day flaw allows blocking Samsung smartphones … – 01net

01net

on 10/28/14 at 12:20

<- early R & eacute;! Social networks - Tall Block buttons - 649 // ->

<- top block image: image forc & eacute; e & agrave;! 300px wide ->

A bad week for Samsung. There are some days, an anonymous had uncovered vulnerabilities in Knox, digital safe that can secure sensitive data on a Galaxy device. An Egyptian hacker now has to demonstrate a critical zero-day flaw in “Find My Mobile”, a web service of the South Korean provider that allows users to geotag their toy for the loss or theft and, where appropriate, block or make it sound.

The security researcher Mohamed Abdelbaset Elnoby (akaSymbianSyMoh) found a way to activate these functions through a so-called attack “ cross-site request forgery . ” When a user is logged in “findmymobile.samsung.com” service, just click it on an HTML page bomb – in this case a hidden form – so he finds himself with a completely locked smartphone

In two videos, the Egyptian hacker shows blocking its own smartphone from a web page. In the malicious code, we see that defined a specific code block, bearing the message “This terminal was lockedSymbianSymoh” . It is also possible, with the same attack, to unlock a smartphone or the ring.

 
 
 

This attack is possible because the web service does not carry Samsung necessary as to the origin of HTML requests checks. This vulnerability has been referenced by the US-CERT / NIST under number CVE-2014-8346, with a high level of risk. So far, the South Korean supplier has not commented on this discovery. Pending a fix, and not getting caught, the best is yet to disable this feature on your smartphone.

See also: