Samsung.com Account Takeover Vulnerability Write-up

First of all let me say this: Hurray! They fixed it!

After contacting Samsung multiply times I thought they’d completely blown me off in fixing this bug but it looks patched (hopefully!).

EDIT: Samsung contacted me and said thanks for the report of the vulnerability. They seemed sincerely interested in fixing the problem – quite the opposite of my initial impression with them (their initial impression of me must’ve been odd considering I’m pretty sick with a cold at the time of this writing).

The Vulnerability

All Samsung.com accounts can be taken over due to an issue with character removal after authentication. When you register at http://samsung.com/ you can add extra spaces to the end of your account name and it will be registered as a separate account altogether. Alone this is not a big issue (other than perhaps spamming an email address by making multiple accounts with additional spaces after them). However, upon navigating to a Samsung subdomain such as http://shop.us.samsung.com/ these trailing spaces are scrubbed from your username. Once this happens and you navigate back to Samsung.com you are authenticated as just a regular email address without any trailing spaces – effectively taking over your target’s account.

So if your username was originally “[email protected]”, after visiting http://shop.us.samsung.com/ it would be scrubbed to “[email protected]”.

Apparently scrubbing isn't always a good thing

Apparently scrubbing isn’t always a good thing

(the security puns don’t get worse than that!)

__

More Detailed instructions (Now patched, at least for shop.us.samsung.com):

  1. Register an account at Samsung.com with the email address of a target, use Tamper Data or another HTTP intercept tool and add trailing spaces to the username.

  2. Complete the account registration process

  3. Navigate to “shop.us.samsung.com”, ex: http://shop.us.samsung.com/store?Action=DisplayCustomerServiceOrderSearchPage&Locale-en_US&SiteID=samsung

  4. Navigate back to the main Samsung.com domain, ex: http://www.samsung.com/us/topic/galaxy-note-10-1-2014-edition

  5. Proceed to attempt to add items to your cart and go to checkout page

  6. Notice the account details and cards on file are those of your target 😉

Sadly because this isn’t a Samsung TV there is no bug bounty for this exploit, but oh well.

 Proof of Concept Video

Matthew Bryant (mandatory)

Matthew Bryant (mandatory)
Security researcher who needs to sleep more. Opinions expressed are solely my own and do not express the views or opinions of my employer.