The Find My Mobile vulnerability was reported by the National Institute of Standards and Technology (NIST) in the US on its National Vulnerability Database (NVD), which gave it a high-severity rating at 7.8, and an exploitability sub-score of 10.0 due to its network exploitable nature, low access complexity, no authentication requirement, and disruption potential.
The Samsung Find My Mobile vulnerability was also reported by Egyptian security researcher Mohamed A. Baset (@SymbianSyMoh), who also uploaded two videos showing the vulnerability being exploited with cross-site request forgery (CSRF) attacks. Baset said he was able to insert scripts into Find My Mobile fields via the Web interface to force the service to lock, unlock, and ring a linked Samsung smartphone.
Samsung responded to the reports on its global blog in a post titled, 'Samsung's Find My Mobile service is safe'. The South Korean consumer electronics giant said the "reported issue in Find My Mobile was fixed through an update on October 13, and no user information has been compromised. Even before the update, any data from the phone or on the server could not be accessed by the hacker."
It added, "Samsung Electronics takes the security of our products very seriously and remains committed to providing our customers with the best user experience."
The firm did highlight conditions (seen below) required for the "unlikely situation" in which an attacker could remotely lock, unlock, and ring a Samsung device, but once again stressed the attacker would not have been able to access data.
- The attacker occupies a way to send a link containing malicious code.
- The Find My Mobile user sets up Find My Mobile Remote control 'ON' at his/her device
- The user enters up his/her ID and password and logs on Find My Mobile website (http://findmymobile.samsung.com) (If the user doesn't use the website after log-on, it will be automatically logged out)
- The user clicks the link in email/instant message/SMS sent by attackers