Samsung Says 'Find My Mobile' Vulnerability Was Fixed Last Month

Share on Facebook Tweet Share Reddit Comment
Samsung Says 'Find My Mobile' Vulnerability Was Fixed Last Month
Samsung has responded to reports from last month about a vulnerability in its Find My Mobile service, specifically that which allowed unauthorised individuals to remotely lock, unlock, and ring Samsung devices.

The Find My Mobile vulnerability was reported by the National Institute of Standards and Technology (NIST) in the US on its National Vulnerability Database (NVD), which gave it a high-severity rating at 7.8, and an exploitability sub-score of 10.0 due to its network exploitable nature, low access complexity, no authentication requirement, and disruption potential.

The Samsung Find My Mobile vulnerability was also reported by Egyptian security researcher Mohamed A. Baset (@SymbianSyMoh), who also uploaded two videos showing the vulnerability being exploited with cross-site request forgery (CSRF) attacks. Baset said he was able to insert scripts into Find My Mobile fields via the Web interface to force the service to lock, unlock, and ring a linked Samsung smartphone.

Samsung responded to the reports on its global blog in a post titled, 'Samsung's Find My Mobile service is safe'. The South Korean consumer electronics giant said the "reported issue in Find My Mobile was fixed through an update on October 13, and no user information has been compromised. Even before the update, any data from the phone or on the server could not be accessed by the hacker."

It added, "Samsung Electronics takes the security of our products very seriously and remains committed to providing our customers with the best user experience."

The firm did highlight conditions (seen below) required for the "unlikely situation" in which an attacker could remotely lock, unlock, and ring a Samsung device, but once again stressed the attacker would not have been able to access data.

  1. The attacker occupies a way to send a link containing malicious code.
  2. The Find My Mobile user sets up Find My Mobile Remote control 'ON' at his/her device
  3. The user enters up his/her ID and password and logs on Find My Mobile website (http://findmymobile.samsung.com) (If the user doesn't use the website after log-on, it will be automatically logged out)
  4. The user clicks the link in email/instant message/SMS sent by attackers
Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and subscribe to our YouTube channel.

India Requested Highest Number of Content Blocks: Facebook
Dropbox Finally Announces Apps for Windows Phone and Windows Tablets
 
 

Advertisement

 

Advertisement

© Copyright Red Pixels Ventures Limited 2019. All rights reserved.