First of all let me say this: Hurray! They fixed it!
After contacting Samsung multiply times I thought they’d completely blown me off in fixing this bug but it looks patched (hopefully!).
EDIT: Samsung contacted me and said thanks for the report of the vulnerability. They seemed sincerely interested in fixing the problem – quite the opposite of my initial impression with them (their initial impression of me must’ve been odd considering I’m pretty sick with a cold at the time of this writing).
All Samsung.com accounts can be taken over due to an issue with character removal after authentication. When you register at http://samsung.com/ you can add extra spaces to the end of your account name and it will be registered as a separate account altogether. Alone this is not a big issue (other than perhaps spamming an email address by making multiple accounts with additional spaces after them). However, upon navigating to a Samsung subdomain such as http://shop.us.samsung.com/ these trailing spaces are scrubbed from your username. Once this happens and you navigate back to Samsung.com you are authenticated as just a regular email address without any trailing spaces – effectively taking over your target’s account.
So if your username was originally “firstname.lastname@example.org<SPACE><SPACE>”, after visiting http://shop.us.samsung.com/ it would be scrubbed to “email@example.com”.
(the security puns don’t get worse than that!)
More Detailed instructions (Now patched, at least for shop.us.samsung.com):
1. Register an account at Samsung.com with the email address of a target, use Tamper Data or another HTTP intercept tool and add trailing spaces to the username.
2. Complete the account registration process
3. Navigate to “shop.us.samsung.com”, ex: http://shop.us.samsung.com/store?Action=DisplayCustomerServiceOrderSearchPage&Locale-en_US&SiteID=samsung
4. Navigate back to the main Samsung.com domain, ex: http://www.samsung.com/us/topic/galaxy-note-10-1-2014-edition
5. Proceed to attempt to add items to your cart and go to checkout page
6. Notice the account details and cards on file are those of your target 😉
Sadly because this isn’t a Samsung TV there is no bug bounty for this exploit, but oh well.