Samsung.com Account Takeover Vulnerability Write-up
First of all let me say this: Hurray! They fixed it!
After contacting Samsung multiply times I thought they’d completely blown me off in fixing this bug but it looks patched (hopefully!).
EDIT: Samsung contacted me and said thanks for the report of the vulnerability. They seemed sincerely interested in fixing the problem – quite the opposite of my initial impression with them (their initial impression of me must’ve been odd considering I’m pretty sick with a cold at the time of this writing).
All Samsung.com accounts can be taken over due to an issue with character removal after authentication. When you register at http://samsung.com/ you can add extra spaces to the end of your account name and it will be registered as a separate account altogether. Alone this is not a big issue (other than perhaps spamming an email address by making multiple accounts with additional spaces after them). However, upon navigating to a Samsung subdomain such as http://shop.us.samsung.com/ these trailing spaces are scrubbed from your username. Once this happens and you navigate back to Samsung.com you are authenticated as just a regular email address without any trailing spaces – effectively taking over your target’s account.
(the security puns don’t get worse than that!)
More Detailed instructions (Now patched, at least for shop.us.samsung.com):
Register an account at Samsung.com with the email address of a target, use Tamper Data or another HTTP intercept tool and add trailing spaces to the username.
Complete the account registration process
Navigate to “shop.us.samsung.com”, ex: http://shop.us.samsung.com/store?Action=DisplayCustomerServiceOrderSearchPage&Locale-en_US&SiteID=samsung
Navigate back to the main Samsung.com domain, ex: http://www.samsung.com/us/topic/galaxy-note-10-1-2014-edition
Proceed to attempt to add items to your cart and go to checkout page
Notice the account details and cards on file are those of your target 😉
Sadly because this isn’t a Samsung TV there is no bug bounty for this exploit, but oh well.