Samsung.com Account Takeover Vulnerability Write-up

First of all let me say this: Hurray! They fixed it!

After contacting Samsung multiply times I thought they’d completely blown me off in fixing this bug but it looks patched (hopefully!).

EDIT: Samsung contacted me and said thanks for the report of the vulnerability. They seemed sincerely interested in fixing the problem – quite the opposite of my initial impression with them (their initial impression of me must’ve been odd considering I’m pretty sick with a cold at the time of this writing).

The Vulnerability

All Samsung.com accounts can be taken over due to an issue with character removal after authentication. When you register at http://samsung.com/ you can add extra spaces to the end of your account name and it will be registered as a separate account altogether. Alone this is not a big issue (other than perhaps spamming an email address by making multiple accounts with additional spaces after them). However, upon navigating to a Samsung subdomain such as http://shop.us.samsung.com/ these trailing spaces are scrubbed from your username. Once this happens and you navigate back to Samsung.com you are authenticated as just a regular email address without any trailing spaces – effectively taking over your target’s account.

So if your username was originally “[email protected] ”, after visiting http://shop.us.samsung.com/ it would be scrubbed to “[email protected]”.

(the security puns don’t get worse than that!)

__

More Detailed instructions (Now patched, at least for shop.us.samsung.com):

Register an account at Samsung.com with the email address of a target, use Tamper Data or another HTTP intercept tool and add trailing spaces to the username. Complete the account registration process Navigate to “shop.us.samsung.com”, ex: http://shop.us.samsung.com/store?Action=DisplayCustomerServiceOrderSearchPage&Locale-en_US&SiteID=samsung Navigate back to the main Samsung.com domain, ex: http://www.samsung.com/us/topic/galaxy-note-10-1-2014-edition Proceed to attempt to add items to your cart and go to checkout page Notice the account details and cards on file are those of your target 😉

Sadly because this isn’t a Samsung TV there is no bug bounty for this exploit, but oh well.

Proof of Concept Video