Vulnerability That Allowed Hackers to Hijack Samsung.com Accounts Fixed – Video


[youtube:http://www.youtube.com/watch?feature=player_embedded&v=NWPRLb36hwU%5D

A security researcher has found a way to hijack Samsung.com accounts. Fortunately, Samsung has addressed the vulnerability identified by the expert to prevent account takeovers.

The expert who discovered the issue is Matthew Bryant. He has found that an attacker can register an account on Samsung.com by using an existent account name and adding extra spaces at the end.

This is registered as a separate account, but if the user who owns this account goes to another subdomain, such as shop.us.samsung.com, the spaces from the end of the username are removed.

This means that the attacker can hijack the account of the user who had registered the name without the spaces. Well, this is how an attack worked before Samsung fixed the vulnerability.

For example, if a hacker registered an account with “admin@samsung.com<SPACE><SPACE>”, he could gain access to the “admin@samsung.com” account when visiting shops.us.samsung.com.

Bryant has published a proof-of-concept video to demonstrate his findings.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s