Home
Mobiles
Mobiles News
Samsung Says 'Find My Mobile' Vulnerability Was Fixed Last Month

Samsung Says 'Find My Mobile' Vulnerability Was Fixed Last Month

By NDTV Correspondent | Updated: 5 November 2014 19:17 IST

Samsung has responded to reports from last month about a vulnerability in its Find My Mobile service, specifically that which allowed unauthorised individuals to remotely lock, unlock, and ring Samsung devices.

The Find My Mobile vulnerability was reported by the National Institute of Standards and Technology (NIST) in the US on its National Vulnerability Database (NVD), which gave it a high-severity rating at 7.8, and an exploitability sub-score of 10.0 due to its network exploitable nature, low access complexity, no authentication requirement, and disruption potential.

The Samsung Find My Mobile vulnerability was also reported by Egyptian security researcher Mohamed A. Baset (@SymbianSyMoh), who also uploaded two videos showing the vulnerability being exploited with cross-site request forgery (CSRF) attacks. Baset said he was able to insert scripts into Find My Mobile fields via the Web interface to force the service to lock, unlock, and ring a linked Samsung smartphone.

Samsung responded to the reports on its global blog in a post titled, 'Samsung's Find My Mobile service is safe'. The South Korean consumer electronics giant said the "reported issue in Find My Mobile was fixed through an update on October 13, and no user information has been compromised. Even before the update, any data from the phone or on the server could not be accessed by the hacker."

It added, "Samsung Electronics takes the security of our products very seriously and remains committed to providing our customers with the best user experience."

The firm did highlight conditions (seen below) required for the "unlikely situation" in which an attacker could remotely lock, unlock, and ring a Samsung device, but once again stressed the attacker would not have been able to access data.

The attacker occupies a way to send a link containing malicious code.
The Find My Mobile user sets up Find My Mobile Remote control 'ON' at his/her device
The user enters up his/her ID and password and logs on Find My Mobile website (http://findmymobile.samsung.com) (If the user doesn't use the website after log-on, it will be automatically logged out)
The user clicks the link in email/instant message/SMS sent by attackers

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.