A Flaw Within Samsung’s ‘Find My Phone’ Service Allows Hackers to Remotely Lock Your Device

Samsung users beware, a zero-day flaw was discovered within the Samsung Find My Phone online phone tracking service. The flaw was announced by the National Institute of Standards and Technology, and discovered by Mohamed Abdelbaset Elnoby (@SymbianSyMoh), an Information Security Evangelist from Egypt. It has been given the name CVE-2014-8346.

The vulnerability allows a remote hacker to cause your device to lock or unlock itself, as well as to cause it to ring. This can be done via what is called a Cross-Site Request Forgery (CSRF). It’s an attack that fools the user into loading a page that contains a uniquely designed HTML exploit page. This tricks the victim into clicking a URL that contains a malicious code and unauthorized queries.

The malicious link will have the same privileges as would the authorized user, and an perform all tasks on behalf of him. This means it can purchase items, change the victim’s info, change passwords, and more. It can even steal sensitive information about the user.

The US-CERT/NIST rated the severity of this vulnerability as HIGH and gave it an exploitability score of 10.

Here is a proof of concept video from the original discoverer: